Tor and network security/administration
Apologies if this has been brought up before. Being as I'm not a network administrator myself (although I do filter some stuff using pf and ipfw on my severs), I'm curious what NAs think of the following technology: http://tor.eff.org/overview.html.en The problem I see is that this technology will be used (literally, not ideally) solely for harassment (especially via IRC). I do not see any other practical use for this technology other than that. The whole "right to privacy/anonymity" argument is legitimate, but I do not see people using* Tor for legitimate purposes. A colleague of mine stated his opinion of my opinion: "Your problem with Tor is that you can't control it, isn't it?" And he's right -- that's the exact problem I have with it. Comments/concerns? -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
On Jun 17, 2006, at 8:29 AM, Jeremy Chadwick wrote:
Apologies if this has been brought up before.
Being as I'm not a network administrator myself (although I do filter some stuff using pf and ipfw on my severs), I'm curious what NAs think of the following technology:
http://tor.eff.org/overview.html.en
The problem I see is that this technology will be used (literally, not ideally) solely for harassment (especially via IRC). I do not see any other practical use for this technology other than that. The whole "right to privacy/anonymity" argument is legitimate, but I do not see people using* Tor for legitimate purposes.
We've had considerable problems with Tor. Idiots who like to use stolen credit cards to buy things online find Tor a nice haven of deniability and covering their tracks. Before we got a little more proactive with it, about 20% of our credit card fraud was coming through IPs that we could confirm were Tor hosts. I spent a few hours with a sheriff in Alabama trying to explain how Tor worked, why people used it, and why that even though he had an IP address of who used a 75 year old woman's credit card number to spend a few hundred dollars on one of our client's sites, it wasn't really their IP. Our IRC servers, and discussion sites also have had to ban all Tor IPs that we've seen because of troublemakers using them to evade bans. Specifically because of the totally unregulated/uncontrolled nature of Tor, they're finding themselves banned from a great many things, which is probably hurting the people it was designed for. Because of one jerk who hopped from one Tor host to the next to get around IP bans on our site, all those IPs are banned now, preventing any legit use of Tor on any of our sites. I don't find the anonymity a bad thing, but I would be a whole lot happier if the default configuration for people running Tor servers included an option to add HTTP headers saying that it's going through Tor, so we could decide if we wanted to conduct financial transactions with them or not.
On Sat, Jun 17, 2006 at 08:49:43AM -0500, Kevin Day wrote:
On Jun 17, 2006, at 8:29 AM, Jeremy Chadwick wrote:
Being as I'm not a network administrator myself (although I do filter some stuff using pf and ipfw on my severs), I'm curious what NAs think of the following technology:
We've had considerable problems with Tor.
Idiots who like to use stolen credit cards to buy things online find Tor a nice haven of deniability and covering their tracks.
Our IRC servers, and discussion sites also have had to ban all Tor IPs that we've seen because of troublemakers using them to evade bans.
I don't find the anonymity a bad thing, but I would be a whole lot happier if the default configuration for people running Tor servers included an option to add HTTP headers saying that it's going through Tor, so we could decide if we wanted to conduct financial transactions with them or not.
You don't do your financial transactions over HTTPS? If you do, by the very design of SSL, the tor exit node cannot add any HTTP header. That would be a man-in-the-middle attack on SSL. (Unless you count that users will click "accept" on any "this could be a forged certificate" warning.) More generally, tor is not an HTTP proxy, but a TCP proxy. Which doesn't mean it cannot (as in "there is a Turing machine that does it") also go up from layer 4/5 to layer 7 for certain specific application protocols; it would only be harder, ask for more resources from the node, ... -- Lionel
On 6/19/06, Lionel Elie Mamane <lionel@mamane.lu> wrote:
You don't do your financial transactions over HTTPS? If you do, by the very design of SSL, the tor exit node cannot add any HTTP header. That would be a man-in-the-middle attack on SSL.
Which, for an anonymizing network, could be a deliberate situation. Tor users are already encouraged to filter through a localhost instance of a second-stage proxy such as Privoxy. There are other projects underway to provide similar second-stage proxy services, possibly capable of functioning as HTTPS m-i-t-m on an intentional basis. If a user desires to filter browser headers even if SSL-secured, certainly s/he would know why the "forged" SSL certificate warning was being presented by the browser. And there's also the possibility of importing such a proxy's certificate into the browser as a trusted CA -- at which point the proxy could generate a "valid" (from the browser's POV) cert for any remote site. All this is an exercise in social vs. technical vulnerability/security. You cannot fix social vulnerabilities via solely technical methods, and vice versa. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On Mon, Jun 19, 2006 at 04:25:09PM -0400, Todd Vierling wrote:
On 6/19/06, Lionel Elie Mamane <lionel@mamane.lu> wrote:
You don't do your financial transactions over HTTPS? If you do, by the very design of SSL, the tor exit node cannot add any HTTP header. That would be a man-in-the-middle attack on SSL.
Which, for an anonymizing network, could be a deliberate situation.
Tor users are already encouraged to filter through a localhost instance of a second-stage proxy such as Privoxy. There are other projects underway to provide similar second-stage proxy services, possibly capable of functioning as HTTPS m-i-t-m on an intentional basis. If a user desires to filter browser headers even if SSL-secured, certainly s/he would know why the "forged" SSL certificate warning was being presented by the browser.
The user then loses end-to-end encryption with the final server he want to connect to. That is unacceptable for a whole range of uses. If a _user_ wants to control browser headers, he can instruct the _browser_ in what headers to send or not. Let's suppose the tor exit node does this https-man-in-the-middle dance. It is not desirable for all connections, so you need some way for the user to say per connection what whether it should happen or not. SOCKS doesn't have such a thing in its protocol, so... you use another protocol and fix all programs on the face of earth to support it? You do an UI call-back where the tor daemon on the user's machine pops up a question "should this HTTPS connection get the extra headers"? So suddenly this daemon needs an UI on every single user on the desktop of the user. Text if that's what the user is using, X11 if that's what he is using, ... And on every single desktop of every logged in user on the system. Wow. And how do you handle client certificates in there? By very design of SSL (unless it is _broken_), the tor exit node won't be able to fake that, too. And how do you handle the verification of the server certificate? How do you know which CA's the client trusts? And even if you have solved all this for SSL, then there is the _next_ protocol that you have to "man in the middle fiddle with". This way lies madness. And above all, it still does not solve your problem. Because the malicious user can choose not to have the additional header added. -- Lionel
On 6/20/06, Lionel Elie Mamane <lionel@mamane.lu> wrote:
You don't do your financial transactions over HTTPS? If you do, by the very design of SSL, the tor exit node cannot add any HTTP header. That would be a man-in-the-middle attack on SSL.
Which, for an anonymizing network, could be a deliberate situation.
The user then loses end-to-end encryption with the final server he want to connect to.
Depends on your definition of "end-to-end" -- if one "end" is "an agent on the user's computer", it still fits. But I think you misunderstand the reason for a filtering proxy in the context of anonymizing networks; read on:
That is unacceptable for a whole range of uses. If a _user_ wants to control browser headers, he can instruct the _browser_ in what headers to send or not.
The reason filtering proxies exist (and are popular with anonymizing networks) is because most browsers don't provide a deep level of configurability for this sort of thing.
Let's suppose the tor exit node does this https-man-in-the-middle dance. It is not desirable for all connections, so you need some way for the user to say per connection what whether it should happen or not. SOCKS doesn't have such a thing in its protocol, so...
With SOCKS, automated filter control based on IP address (and hostname, if using SOCKS4a or SOCKS5 with DOMAINNAME address type) is trivial.
So suddenly this daemon needs an UI on every single user on the desktop of the user.
Here's where your misunderstanding is evident. The filtering proxy is not at the Tor exit node; it's at the *entry*. Marrying the UI and the user using the proxy is precisely the point -- the filter is controlled by the person using it. Thus the UI is provided to the user who both installed, and is using, the filtering proxy. This is typically the way in which e.g. Privoxy+Tor is used, as Privoxy has no facility for per-user filter settings.
And how do you handle client certificates in there?
Install the client certs into the proxy agent.
And how do you handle the verification of the server certificate? How do you know which CA's the client trusts?
Use the proxy agent's UI to pop up the same sort of dialog-box validation that the browser would traditionally provide. There happen to be ready-made code libraries for just this purpose.
And even if you have solved all this for SSL, then there is the _next_ protocol that you have to "man in the middle fiddle with". This way lies madness.
Filtering proxies target a somewhat narrow scope, but broad use, subset of possible protocols. HTTP + HTTPS cover a pretty huge chunk of traffic and user involvement. Certainly some other common protocols could be filtered for anonymizing purposes in their own ways. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On Wed, Jun 21, 2006 at 01:14:52PM -0400, Todd Vierling wrote:
On 6/20/06, Lionel Elie Mamane <lionel@mamane.lu> wrote:
You don't do your financial transactions over HTTPS? If you do, by the very design of SSL, the tor exit node cannot add any HTTP header. That would be a man-in-the-middle attack on SSL.
Which, for an anonymizing network, could be a deliberate situation.
The user then loses end-to-end encryption with the final server he want to connect to.
Depends on your definition of "end-to-end" -- if one "end" is "an agent on the user's computer", it still fits. But I think you misunderstand the reason for a filtering proxy in the context of anonymizing networks; read on:
So suddenly this daemon needs an UI on every single user on the desktop of the user.
Here's where your misunderstanding is evident. The filtering proxy is not at the Tor exit node; it's at the *entry*.
If the proxy is not at the Tor exit node, how can the tor network enforce the addition of the "this connection went through tor" HTTP header that Kevin Day was asking for? Fundamentally, if you rely on a program sitting on the user's computer adding that header, then malevolent users can not add this header, so Kevin Day's purpose is not served. And that is what is being discussed here.
Let's suppose the tor exit node does this https-man-in-the-middle dance. It is not desirable for all connections, so you need some way for the user to say per connection what whether it should happen or not. SOCKS doesn't have such a thing in its protocol, so...
With SOCKS, automated filter control based on IP address (and hostname, if using SOCKS4a or SOCKS5 with DOMAINNAME address type) is trivial.
What I was trying to say was: The SOCKS protocol has no mechanism for the SOCKS proxy to tell the SOCKS client "before I establish that connection, please ask the user that question and report the answer back to me". -- Lionel
On Jun 21, 2006, at 12:43 PM, Lionel Elie Mamane wrote:
If the proxy is not at the Tor exit node, how can the tor network enforce the addition of the "this connection went through tor" HTTP header that Kevin Day was asking for? Fundamentally, if you rely on a program sitting on the user's computer adding that header, then malevolent users can not add this header, so Kevin Day's purpose is not served. And that is what is being discussed here.
Just to chime in before this gets any further off what I meant: I know any intermediary nodes can't inject headers into HTTPS connections, that kinda defeats the purpose of SSL. :) When doing any financial transaction, before any user enters anything sensitive, we bounce them to an HTTP page first, then look for common proxy headers on that request. If none are found, they're given a cookie that allows them to continue on that IP only for HTTPS transactions for the next 15 minutes. Failing that, having an exit node look at HTTP headers back from the server that contained a "X-No-Anonymous" header to say that the host at that IP shouldn't allow Tor to use it would work. *Anything* would be better for Tor users if we could keep Tor abuse off our financial services without having to just ban all Tor IPs at the border. On a credit card transaction page, you have no anonymity anyway, since you're having to give us your credit card number, home address, etc. Yet, until we banned as many known Tor IPs as we could find from our network, Tor IPs accounted for a pretty high percentage of our credit card fraud, and nearly zero non-fraudulent use. Tor IPs had some significant(legitimate) use on some of our other sites, but that's gone because they're all null routed at the border now. Tor may have some legit uses, but when it's costing us $BIGNUM in credit card fraud, I'm not going to spend too much time trying to only selectively ban it from our network.
On 6/21/06, Kevin Day <toasty@dragondata.com> wrote:
Failing that, having an exit node look at HTTP headers back from the server that contained a "X-No-Anonymous" header to say that the host at that IP shouldn't allow Tor to use it would work.
What's to stop one or more exit node operators from hacking such a check right back out of the code? This is a better idea, but still has a bit of defeats-the-whole-point to it, as it would depend on people obeying that header voluntarily. Social vs. technological divide, again. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On Jun 21, 2006, at 4:08 PM, Todd Vierling wrote:
On 6/21/06, Kevin Day <toasty@dragondata.com> wrote:
Failing that, having an exit node look at HTTP headers back from the server that contained a "X-No-Anonymous" header to say that the host at that IP shouldn't allow Tor to use it would work.
What's to stop one or more exit node operators from hacking such a check right back out of the code?
Nothing, but it's the same nothing that stops me from just blocking all Tor exit nodes at the border. If they showed a little bit of responsibility and allowed other people to make the decision if they wanted to deal with anonymous users or not, I'd be more than willing not to ban the whole lot of them. Areas where there already is no expectation of anonymity don't allow you to hide your identify in the "real world", so I'm not sure why there is the notion that it's a right on the internet. Try applying for a credit card anonymously, or cashing a check in a bank wearing a ski mask and refusing to show any ID. I realize fighting open proxies(even ones like this that aren't the result of being trojaned/backdoored) is a losing battle, but the sheer ease in ANYONE being able to click "Give me a new identity" with Tor has really invited the masses to start playing with credit card fraud at a level I hadn't seen before. I'm willing to bet others are experiencing the same thing, but just don't realize they are because they're unfamiliar with Tor and don't know where to look. On top of all of that, I fully understand that the authors of Tor would have no desire to add such a feature. Their users are the end users, and placating pissy network operators gives them no benefit. All I can say is that if we had a better way of detecting Tor nodes automatically, and making policy decisions based around that fact, we'd be less likely to flat out ban them all. On Jun 21, 2006, at 4:53 PM, Jeremy Chadwick wrote:
I'm also left wondering something else, based on the "Legalities" Tor page. The justification seems to be that because no one's ever been sued for using Tor to, say, perform illegitimate transactions (Kevin's examples) or hack a server somewhere (via SSH or some other open service), that somehow "that speaks for itself".
I don't know about the rest of the folks on NANOG, but telling a court "I run the Tor service by choice, but the packets that come out of my box aren't my responsibility", paraphrased, isn't going to save you from prison time (at least here in the US). Your box, your network port, your responsibility: period.
We had a sheriff in a small town in Alabama quite ready to test that theory at one point. A Tor exit node was used to purchase several hundred dollars of services on a 75 year old woman's credit card that had never used a computer in her life. It took a LOT of explaining, but after he and the county DA understood what Tor was about, they were completely willing to bring charges against the owner of the IP of the exit node. The credit card holder, however, asked that they drop the matter, so it never went anywhere. I would have been very curious to see how it turned out though. On Jun 21, 2006, at 5:18 PM, Steve Atkins wrote:
Why bother?
If the traffic is abusive, why do you care it comes from Tor? If there's a pattern of abusive traffic from a few hundred IP addresses, block those addresses. If you're particularly prone to idiots from Tor (IRC, say) then preemptively blocking them might be nice, but I doubt the number of new Tor nodes increases at a fast enough rate for it to be terribly interesting.
Normally if we get a lot of fraud from one user, we force all transactions inside that /24 (or whatever the bgp announcement size is) to be manually approved. This is different because one cranky/pissed off/thieving user has control of hundreds of IPs scattered across the world. You can play whack-a-mole with them for hours, and they can keep coming back on a new IP. Each one can be a fraudulent credit card order, costing us hundreds of dollars each. We have preemptively blocked all the Tor exit nodes we can find, but they do change at a rate fast enough that a static list isn't sufficient. Many run off cable modems out of a DHCP pool that get a new address periodically.
On 6/21/06, Lionel Elie Mamane <lionel@mamane.lu> wrote:
Here's where your misunderstanding is evident. The filtering proxy is not at the Tor exit node; it's at the *entry*.
If the proxy is not at the Tor exit node, how can the tor network enforce the addition of the "this connection went through tor" HTTP header that Kevin Day was asking for?
And Tor users will desire to do this ... why? I have been referring to the proxying behavior *currently in use* on Tor and likely to be developed further in the near future. It is highly *unlikely* that Tor will add such a header by default, so there's little point in thinking that such a so-called "solution" might actually come to light. Note that nowhere have I implied that Tor HTTP requests would look like anything but regular HTTP requests, and in fact, that's exactly the point of Tor's design. I am NOT using this thread to comment on the appropriateness of that behavior (I have mixed personal opinions on that), but rather, to point out what its *users* want, which is what is likely to be implemented. Hence my earlier comment about addressing social vulnerabilities via solely technological methods.
if you rely on a program sitting on the user's computer adding that header, then malevolent users can not add this header,
And non-malevolent users who simply wish to avoid marketeers' statistical data tracking. There's more than one use for the technology, y'know.
so Kevin Day's purpose is not served.
If the point of the technology is to add a degree of anonymity, you can be pretty sure that a marker expressly designed to state the message "Hi, I'm anonymous!" will never be a standard feature of said technology. That's a pretty obvious non-starter. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:
If the point of the technology is to add a degree of anonymity, you can be pretty sure that a marker expressly designed to state the message "Hi, I'm anonymous!" will never be a standard feature of said technology. That's a pretty obvious non-starter.
Which begs the original question of this thread which I started: with that said, how exactly does one filter this technology? "You can't" doesn't make for a very practical solution, by the way. The same was said about BitTorrent (non-encrypted) when it came out, and the same is being said about encrypted BT (which has caused some ISPs to induce rate-limiting). I'm also left wondering something else, based on the "Legalities" Tor page. The justification seems to be that because no one's ever been sued for using Tor to, say, perform illegitimate transactions (Kevin's examples) or hack a server somewhere (via SSH or some other open service), that somehow "that speaks for itself". I don't know about the rest of the folks on NANOG, but telling a court "I run the Tor service by choice, but the packets that come out of my box aren't my responsibility", paraphrased, isn't going to save you from prison time (at least here in the US). Your box, your network port, your responsibility: period. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
On Jun 21, 2006, at 2:53 PM, Jeremy Chadwick wrote:
On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:
If the point of the technology is to add a degree of anonymity, you can be pretty sure that a marker expressly designed to state the message "Hi, I'm anonymous!" will never be a standard feature of said technology. That's a pretty obvious non-starter.
Which begs the original question of this thread which I started: with that said, how exactly does one filter this technology?
Why bother? If the traffic is abusive, why do you care it comes from Tor? If there's a pattern of abusive traffic from a few hundred IP addresses, block those addresses. If you're particularly prone to idiots from Tor (IRC, say) then preemptively blocking them might be nice, but I doubt the number of new Tor nodes increases at a fast enough rate for it to be terribly interesting. If you want to take legal action you know exactly who is responsible for the traffic, so whether it's coming from a Tor exit node or not isn't terribly interesting in that case either. If you still do want to then there are some very obvious ways to do so, combining a Tor client and a server you run. (And this is from the perspective of someone who does not believe there is any legitimate use for Tor at all.) Cheers, Steve
Jeremy Chadwick wrote:
On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:
If the point of the technology is to add a degree of anonymity, you can be pretty sure that a marker expressly designed to state the message "Hi, I'm anonymous!" will never be a standard feature of said technology. That's a pretty obvious non-starter.
Which begs the original question of this thread which I started: with that said, how exactly does one filter this technology?
..and that is also the reason why SORBS and Tor have been a logger heads... This think that their answer addresses SORBS' position from their Abuse FAQ ( http://tor.eff.org/faq-abuse.html.en ): SORBS is putting some Tor server IPs on their email blacklist as well. They do this because they passively detect whether your server connects to certain IRC networks, and they conclude from this that your server is capable of spamming. We tried to work with them to teach them that not all software works this way, but we have given up. We recommend you avoid them, and teach your friends (if they use them) to avoid abusive blacklists too <http://paulgraham.com/spamhausblacklist.html>. Of course SORBS' position is actually this - if you are allowing Trojan traffic over the Tor network you will get listed (regardless of whether the Trojans can talk to port 25 or not).... Considering they were told that, it shows the lack of concern, respect, intelligence or nettiqette for such issues. The new SORBS DB (coming soon) will include a Tor DNSbl (like the AHBL's) where administrators of services can choose to block this type of traffic. Our response to people whilst Tor is "That's what you get for using Tor, if you must use Tor we recommend moving it to a server/IP that is not used for anything important and getting a good lawyer."
"You can't" doesn't make for a very practical solution, by the way. The same was said about BitTorrent (non-encrypted) when it came out, and the same is being said about encrypted BT (which has caused some ISPs to induce rate-limiting).
I'm also left wondering something else, based on the "Legalities" Tor page. The justification seems to be that because no one's ever been sued for using Tor to, say, perform illegitimate transactions (Kevin's examples) or hack a server somewhere (via SSH or some other open service), that somehow "that speaks for itself".
I actually know of someone who was caught trying to brute force an ISPs SSH server - he blamed it on Tor - that didn't stop legal action and getting his connection terminated. (Sorry I am not permitted to give details of who or which ISP - so don't ask) - I don't know whether he was the responsible party or not, but I do know he has had several accounts terminated for similar 'suspect' activity. He continues to run a Tor node.
I don't know about the rest of the folks on NANOG, but telling a court "I run the Tor service by choice, but the packets that come out of my box aren't my responsibility", paraphrased, isn't going to save you from prison time (at least here in the US). Your box, your network port, your responsibility: period.
AFAIK nor here (Australia) nor in the UK - if the traffic is seen to be coming from your machine *you* are responsible unless *you* can show the traffic was generated by someone else. i.e. you cannot say 'sorry officer it was not me it was my machine' you have to be able to say (and prove), 'sorry officer it was not me it was someone else, I don't know who, but here is the information about the next step back to the source so that you can continue your investigation.' (same as speeding tickets - you can't just say "I wasn't driving" - you have to either say 'x was driving' or "It wasn't me, I don't know who was driving but I lent the car to x you should ask them." ...and for what it's worth, I have no problems with anonymous networks for idealistic reasons, however they are always abused, they will continue to be abused, Tor is being abused, and I should be able to allow or deny traffic into my networks as I see fit.... All of my discussions with Tor people have indicated [they] do not think I should have the right to deny traffic based on IP address, and that I should find other methods of authenticating traffic into my networks. Regards, Mat
On Thu, Jun 22, 2006 at 11:58:34AM +1000, Matthew Sullivan wrote:
Jeremy Chadwick wrote:
On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:
If the point of the technology is to add a degree of anonymity, you can be pretty sure that a marker expressly designed to state the message "Hi, I'm anonymous!" will never be a standard feature of said technology. That's a pretty obvious non-starter.
Which begs the original question of this thread which I started: with that said, how exactly does one filter this technology?
Of course SORBS' position is actually this - if you are allowing Trojan traffic over the Tor network you will get listed (regardless of whether the Trojans can talk to port 25 or not)....
How an open proxy that will not connect to port 25 is relevant for an *email* blacklist is beyond me.
...and for what it's worth, I have no problems with anonymous networks for idealistic reasons, however they are always abused, they will continue to be abused, Tor is being abused, and I should be able to allow or deny traffic into my networks as I see fit....
All of my discussions with Tor people have indicated [they] do not think I should have the right to deny traffic based on IP address, and that I should find other methods of authenticating traffic into my networks.
Isn't it rather that they think that filtering on the base of IP address is broken in today's Internet, even if tor didn't exist? Open proxies, trojans, multi-user computers, dynamic IPs, ... all this makes that substituting IP address for people is very, very, imprecise. -- Lionel
Lionel Elie Mamane wrote:
On Thu, Jun 22, 2006 at 11:58:34AM +1000, Matthew Sullivan wrote:
Jeremy Chadwick wrote:
On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:
If the point of the technology is to add a degree of anonymity, you can be pretty sure that a marker expressly designed to state the message "Hi, I'm anonymous!" will never be a standard feature of said technology. That's a pretty obvious non-starter.
Which begs the original question of this thread which I started: with that said, how exactly does one filter this technology?
Of course SORBS' position is actually this - if you are allowing Trojan traffic over the Tor network you will get listed (regardless of whether the Trojans can talk to port 25 or not)....
How an open proxy that will not connect to port 25 is relevant for an *email* blacklist is beyond me.
Perhaps because SORBS is not just an email blacklist? Perhaps because it is also used for webmail and other things...
...and for what it's worth, I have no problems with anonymous networks for idealistic reasons, however they are always abused, they will continue to be abused, Tor is being abused, and I should be able to allow or deny traffic into my networks as I see fit....
All of my discussions with Tor people have indicated [they] do not think I should have the right to deny traffic based on IP address, and that I should find other methods of authenticating traffic into my networks.
Isn't it rather that they think that filtering on the base of IP address is broken in today's Internet, even if tor didn't exist? Open proxies, trojans, multi-user computers, dynamic IPs, ... all this makes that substituting IP address for people is very, very, imprecise.
....and that is your opinion, which you are entitled to, others feel filtering by IP address is still valid and needed which is why they do it... Surely they are entitled to their opinions....? Regards, Mat
On Thu, Jun 22, 2006 at 05:37:25PM +1000, Matthew Sullivan wrote:
Lionel Elie Mamane wrote:
How an open proxy that will not connect to port 25 is relevant for an *email* blacklist is beyond me.
Perhaps because SORBS is not just an email blacklist?
My bad. I must have misunderstood its tagline.
Perhaps because it is also used for webmail and other things...
Someone running a webmail that doesn't ask for authentication before accepting mail is asking for trouble. You know it, and I'm fairly sure you would list him. If the user has authenticated himself on the webmail, why care whether the TCP connection came from an open TCP or HTTP proxy? The user has identified himself, so you know who it is.
All of my discussions with Tor people have indicated [they] do not think I should have the right to deny traffic based on IP address, and that I should find other methods of authenticating traffic into my networks.
Isn't it rather that they think that filtering on the base of IP address is broken in today's Internet, even if tor didn't exist? Open proxies, trojans, multi-user computers, dynamic IPs, ... all this makes that substituting IP address for people is very, very, imprecise.
....and that is your opinion,
Actually, no. It is what I understand the tor people's opinion to be from their public statements. As for my opinion, I think IP-based is the best you've got when you are dealing with the world at large and not just with a finite, known group of users. As with an MX. As with a webshop. But IP-based authentication should be avoided if you can, and does get over-used in contexts where it is worse than other solutions. A prime example is the scientific journals publishers blindly trusting the whole IP space of universities. We do give shell accounts on some of our machines to externals: Other scientists from abroad, high school students that can make good use of surplus computing resources for a project, ... -- Lionel
On 6/22/06, Lionel Elie Mamane <lionel@mamane.lu> wrote:
All of my discussions with Tor people have indicated [they] do not think I should have the right to deny traffic based on IP address, and that I should find other methods of authenticating traffic into my networks.
Isn't it rather that they think that filtering on the base of IP address is broken in today's Internet, even if tor didn't exist?
This has been part of my point throughout this thread, in that:
substituting IP address for people is very, very, imprecise.
Tor just happens to point this out very vividly, and makes the formerly small distinction between social and technological problems a bit moer noticeable. Anti-spam folk face a lot of the same issues. Ideally, there should be zero need for content-based mail filtering, because that doesn't reflect the intent of blocking spam (which is *really* based on "solicited" status). However, the *social* issues of today's spam abuse often make content-based filtering a necessary evil. -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
On Wed, Jun 21, 2006 at 02:53:06PM -0700, Jeremy Chadwick wrote:
On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:
If the point of the technology is to add a degree of anonymity, you can be pretty sure that a marker expressly designed to state the message "Hi, I'm anonymous!" will never be a standard feature of said technology. That's a pretty obvious non-starter.
Which begs the original question of this thread which I started: with that said, how exactly does one filter this technology?
The list of IP addresses of tor nodes is *public*. If tor users can get it, you can, too. Some IRC networks already run a stripped-down tor client to always tag connections from tor as such, and permit channel operators to ban such connections from their channel should they wish so. -- Lionel
The problem I see is that this technology will be used (literally, not ideally) solely for harassment (especially via IRC). I do not see any other practical use for this technology other than that. The whole "right to privacy/anonymity" argument is legitimate, but I do not see people using* Tor for legitimate purposes.
A colleague of mine stated his opinion of my opinion: "Your problem with Tor is that you can't control it, isn't it?" And he's right -- that's the exact problem I have with it.
if you believe in privacy and anonymity, you get the downsides as well as he upsides. such is life. the problem with the net is that there are people on it. randy
On 6/17/06, Jeremy Chadwick <nanog@jdc.parodius.com> wrote:
The problem I see is that this technology will be used (literally, not ideally) solely for harassment (especially via IRC). I do not see any other practical use for this technology other than that. The whole "right to privacy/anonymity" argument is legitimate, but I do not see people using* Tor for legitimate purposes.
My legitimate use of Tor is because I object to companies following me around on the net. Yes, I block ads and reject cookies, too. I choose to not disclose my browsing to others. I get enough random commercial crap foisted upon me that I have no time or patience for the targetted commercial crap. To paraphrase Zimmerman's philosophy of PGP - you may be having a hot affair, or you may be doing something politically sensitive, but it's nobody's business but yours. As for an attempt at a technical control, maybe set up a box with Tor on it, get a list of exit servers and null-route them automagically. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
On Sat, 17 Jun 2006, Chris Kuethe wrote:
As for an attempt at a technical control, maybe set up a box with Tor on it, get a list of exit servers and null-route them automagically.
The TOR abuse FAQ is here: http://tor.eff.org/faq-abuse.html.en They provide a script to track TOR exit nodes as well: http://tor.eff.org/cvs/tor/contrib/exitlist I agree with Randy - The problem (with the net) is that there are people (on it). cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now."
On Jun 17, 2006, at 10:42 AM, Gwendolynn ferch Elydyr wrote:
On Sat, 17 Jun 2006, Chris Kuethe wrote:
As for an attempt at a technical control, maybe set up a box with Tor on it, get a list of exit servers and null-route them automagically.
The TOR abuse FAQ is here:
http://tor.eff.org/faq-abuse.html.en
They provide a script to track TOR exit nodes as well:
For IRC servers running BOPM and mail servers, I've found: http:// www.sectoor.de/tor.php to be useful.
On Sat, 17 Jun 2006 06:29:02 PDT, Jeremy Chadwick said:
A colleague of mine stated his opinion of my opinion: "Your problem with Tor is that you can't control it, isn't it?" And he's right -- that's the exact problem I have with it.
Comments/concerns?
You're complaining about a network of several hundred IP addresses that are, for the most part, documented as being the source of anonymized connections. Obviously, if you're worried about *that*, you've already solved the problem of identifying a connection as coming from one of the millions of machines that has backdoor software on it, and thus potentially a port forwarder(*). Please share your secret. The rest of us would love to have a net where Tor nodes are a "problem" big enough to worry about. (*) Yes, Tor intentionally anonymizes the true source *very* well. On the flip side, what are your *REAL* chances of tracking somebody through more than 2 or 3 hops across cablemodems, unless you manage to mobilize everybody by invoking one of the Four Horsemen of the Internet (copyright, terrorism, drug dealers, and child pornographers)?
On Jun 17, 2006, at 6:29 AM, Jeremy Chadwick wrote:
Apologies if this has been brought up before.
Being as I'm not a network administrator myself (although I do filter some stuff using pf and ipfw on my severs), I'm curious what NAs think of the following technology:
http://tor.eff.org/overview.html.en
The problem I see is that this technology will be used (literally, not ideally) solely for harassment (especially via IRC). I do not see any other practical use for this technology other than that. The whole "right to privacy/anonymity" argument is legitimate, but I do not see people using* Tor for legitimate purposes.
A colleague of mine stated his opinion of my opinion: "Your problem with Tor is that you can't control it, isn't it?" And he's right -- that's the exact problem I have with it.
Comments/concerns?
It's a proxy botnet, created by social engineering, rather than compromised machines, but apart from that it's indistinguishable from any other. The approaches you're using for abuse from other open proxies and botnets should work fine for tor. If you've not dealt with the general case then fixating on tor is pretty much a waste of time (unless you're running an IRC network, perhaps). Cheers, Steve
On Sat, 17 Jun 2006, Jeremy Chadwick wrote:
The problem I see is that this technology will be used (literally, not ideally) solely for harassment (especially via IRC). I do not see any other practical use for this technology other than that. The whole "right to privacy/anonymity" argument is legitimate, but I do not see people using* Tor for legitimate purposes.
Tor is just a brand name. Its not the first, last or only way. As long as there are people, there will be people that abuse things. Every open service has been abused: USENET, SMTP, IRC, DNS, DHCP, TTY/TDD Relay for the deaf, etc. The Internet is just a small community of 500 million or so of your closest friends you don't know. People have known since rlogin, rexec, rsh relying on IP addresses as a method to control access has limitations. Caller ID isn't that much more secure. It is extremely unlikely we will ever make all or even most of the network hosts secure, and there will continue to be new applications being created all the time. Applications designers should probably consider using application and higher layer authentication methods if they don't want their applications used as open relays for abuse. You can't control what the rest of the world does, but you can set the policy for using your own application.
participants (12)
-
Chris Kuethe -
Gwendolynn ferch Elydyr -
Jeremy Chadwick -
John Payne -
Kevin Day -
Lionel Elie Mamane -
Matthew Sullivan -
Randy Bush -
Sean Donelan -
Steve Atkins -
Todd Vierling -
Valdis.Kletnieks@vt.edu