North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Tor and network security/administration

  • From: Matthew Sullivan
  • Date: Wed Jun 21 21:59:48 2006

Jeremy Chadwick wrote:

On Wed, Jun 21, 2006 at 05:02:47PM -0400, Todd Vierling wrote:

If the point of the technology is to add a degree of anonymity, you
can be pretty sure that a marker expressly designed to state the
message "Hi, I'm anonymous!" will never be a standard feature of said
technology. That's a pretty obvious non-starter.

Which begs the original question of this thread which I started: with
that said, how exactly does one filter this technology?

..and that is also the reason why SORBS and Tor have been a logger heads... This think that their answer addresses SORBS' position from their Abuse FAQ ( ):

SORBS is putting some Tor server IPs on their email blacklist as well. They do this because they passively detect whether your server connects to certain IRC networks, and they conclude from this that your server is capable of spamming. We tried to work with them to teach them that not all software works this way, but we have given up. We recommend you avoid them, and teach your friends (if they use them) to avoid abusive blacklists too <>.

Of course SORBS' position is actually this - if you are allowing Trojan traffic over the Tor network you will get listed (regardless of whether the Trojans can talk to port 25 or not).... Considering they were told that, it shows the lack of concern, respect, intelligence or nettiqette for such issues. The new SORBS DB (coming soon) will include a Tor DNSbl (like the AHBL's) where administrators of services can choose to block this type of traffic.

Our response to people whilst Tor is "That's what you get for using Tor, if you must use Tor we recommend moving it to a server/IP that is not used for anything important and getting a good lawyer."

"You can't" doesn't make for a very practical solution, by the way.
The same was said about BitTorrent (non-encrypted) when it came out,
and the same is being said about encrypted BT (which has caused
some ISPs to induce rate-limiting).

I'm also left wondering something else, based on the "Legalities"
Tor page. The justification seems to be that because no one's ever
been sued for using Tor to, say, perform illegitimate transactions
(Kevin's examples) or hack a server somewhere (via SSH or some other
open service), that somehow "that speaks for itself".

I actually know of someone who was caught trying to brute force an ISPs SSH server - he blamed it on Tor - that didn't stop legal action and getting his connection terminated. (Sorry I am not permitted to give details of who or which ISP - so don't ask) - I don't know whether he was the responsible party or not, but I do know he has had several accounts terminated for similar 'suspect' activity. He continues to run a Tor node.

I don't know about the rest of the folks on NANOG, but telling a
court "I run the Tor service by choice, but the packets that come
out of my box aren't my responsibility", paraphrased, isn't going
to save you from prison time (at least here in the US). Your box,
your network port, your responsibility: period.

AFAIK nor here (Australia) nor in the UK - if the traffic is seen to be coming from your machine *you* are responsible unless *you* can show the traffic was generated by someone else. i.e. you cannot say 'sorry officer it was not me it was my machine' you have to be able to say (and prove), 'sorry officer it was not me it was someone else, I don't know who, but here is the information about the next step back to the source so that you can continue your investigation.' (same as speeding tickets - you can't just say "I wasn't driving" - you have to either say 'x was driving' or "It wasn't me, I don't know who was driving but I lent the car to x you should ask them."

...and for what it's worth, I have no problems with anonymous networks for idealistic reasons, however they are always abused, they will continue to be abused, Tor is being abused, and I should be able to allow or deny traffic into my networks as I see fit....

All of my discussions with Tor people have indicated [they] do not think I should have the right to deny traffic based on IP address, and that I should find other methods of authenticating traffic into my networks.