Re: [tor-relays] Oubound Ports
Alright - traffic is picking up a little after 24 hour. Netfow is showing a bunch of outbound SSH connections but for some reason cant see it in the syslog going out. Added ACL for outbound SSH and will watch. Not sure WTF all the SSH traffic is all about. gm -Original Message- From: tor-relays [mailto:tor-relays-boun...@lists.torproject.org] On Behalf Of Tom van der Woerdt Sent: Friday, July 11, 2014 9:05 AM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Oubound Ports Ryan Getz schreef op 11/07/14 16:19: > > On Fri, Jul 11, 2014, at 09:41 AM, Moritz Bartl wrote: >> On 07/11/2014 11:33 AM, Roman Mamedov wrote: >>> Agreed, but my point was that only a small minority of relays use >>> port 22 (checked, 27 of them - more than I expected) or port 53 >>> (just three relays), so it may be a sacrifice that's worth making, >>> in order to avoid losing the ability to run Tor altogether due to being kicked out by your ISP. >> >> I don't see the point in blocking arbitrary outgoing ports for an >> application that is not going to make any connections other than >> relay connections. The danger of Tor misbehaving on port 22 or port >> 53 is the same as on any other port. >> >>> Some time ago I proposed that Tor flags some ports as being >>> unacceptable as ORPort[1], but this did not gather much of a momentum. >> >> A port is a number. None of them is special. I really don't see any >> reason to discriminate any. >> >> -- >> Moritz Bartl >> https://www.torservers.net/ > > I agree but it depends on the service provider. I've just recently > begun running some relays and while one provider confirmed I could run > a non-exit relay on their network, I was later flagged as abusive for > too many outgoing connections on port 22. Their network monitoring > software tripped the alert as possible SSH scan / exit relay activity. > After a few days of working with them, the issue is finally resolved > as they now understand it was not malicious and I am not operating an exit. > > While I still don't fully understand why my server connects over port > 22 to some servers listed with the OR port of 443, I clearly have more > to learn about Tor functionality. Regardless, many providers monitor > proactively for malicious traffic patterns. Many outgoing connections > on port 22 appear as SSH scans/brute forcing to a provider. 25 often > appear as spam and 53 as DNS reflection attacks. > > I've worked with many providers that do not provide good support and > will instantly suspend/terminate your service when they detect these > traffic patterns. Some allow you to resume service after justification > and the worst ones never resume your service or allow justification. > While these are not providers that I'd recommend using when network > diversity is important and more new users attempt to contribute to the > network, this does cause additional obstacles when using some > providers for hosting a relay. A port is a port but using ports 22, 25 > and 53 in particular are definitely going to cause headaches for a > subset of contributors. > > Regards, > Ryan This raises an interesting question: going forward, do we want to keep requiring all relays to be able to reach every other relay? I run a small relay at home (10mbit-ish) and my ISP blocks all outgoing traffic to port 25 (smtp). The moment someone starts running a relay on this port, my relay will no longer be able to reach all other relays. This would mean I should stop running a relay, which is (imo) worse for the network. In the near future it seems more likely that networks will get more closed than more open, and more and more relays will face restrictions imposed by governments or ISPs. What about relays in China? Relays there may be able to reach only 50% of the network. With smart algorithms this can be advantageous as these relays have a higher chance of being able to serve people from these countries, while being able to escape the Great Firewall. I imagine a Chinese user connecting to a Chinese bridge which connects to a relay outside of the country, etc. This bridge may not be able to connect to every other relay, but if it properly advertises what it can reach that's fine. Of course this would allow an attacker to steer traffic, so a client may want to establish a slightly longer circuit and avoid going through more than X of these special hops. Having relays in places that are hard to reach allows people nearby to connect more easily to the network. Not doing so means we cannot support relays in countries with government-applied internet restrictions. It would be nice to see some discussion on this topic. Do we really want to stop people from donating bandwidth just because, simply put, they're from China? Tom PS: China is obviously just an example here - the same could apply to the USA. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.
Re: [tor-relays] Oubound Ports
Ryan Getz schreef op 11/07/14 16:19: On Fri, Jul 11, 2014, at 09:41 AM, Moritz Bartl wrote: On 07/11/2014 11:33 AM, Roman Mamedov wrote: Agreed, but my point was that only a small minority of relays use port 22 (checked, 27 of them - more than I expected) or port 53 (just three relays), so it may be a sacrifice that's worth making, in order to avoid losing the ability to run Tor altogether due to being kicked out by your ISP. I don't see the point in blocking arbitrary outgoing ports for an application that is not going to make any connections other than relay connections. The danger of Tor misbehaving on port 22 or port 53 is the same as on any other port. Some time ago I proposed that Tor flags some ports as being unacceptable as ORPort[1], but this did not gather much of a momentum. A port is a number. None of them is special. I really don't see any reason to discriminate any. -- Moritz Bartl https://www.torservers.net/ I agree but it depends on the service provider. I've just recently begun running some relays and while one provider confirmed I could run a non-exit relay on their network, I was later flagged as abusive for too many outgoing connections on port 22. Their network monitoring software tripped the alert as possible SSH scan / exit relay activity. After a few days of working with them, the issue is finally resolved as they now understand it was not malicious and I am not operating an exit. While I still don't fully understand why my server connects over port 22 to some servers listed with the OR port of 443, I clearly have more to learn about Tor functionality. Regardless, many providers monitor proactively for malicious traffic patterns. Many outgoing connections on port 22 appear as SSH scans/brute forcing to a provider. 25 often appear as spam and 53 as DNS reflection attacks. I've worked with many providers that do not provide good support and will instantly suspend/terminate your service when they detect these traffic patterns. Some allow you to resume service after justification and the worst ones never resume your service or allow justification. While these are not providers that I'd recommend using when network diversity is important and more new users attempt to contribute to the network, this does cause additional obstacles when using some providers for hosting a relay. A port is a port but using ports 22, 25 and 53 in particular are definitely going to cause headaches for a subset of contributors. Regards, Ryan This raises an interesting question: going forward, do we want to keep requiring all relays to be able to reach every other relay? I run a small relay at home (10mbit-ish) and my ISP blocks all outgoing traffic to port 25 (smtp). The moment someone starts running a relay on this port, my relay will no longer be able to reach all other relays. This would mean I should stop running a relay, which is (imo) worse for the network. In the near future it seems more likely that networks will get more closed than more open, and more and more relays will face restrictions imposed by governments or ISPs. What about relays in China? Relays there may be able to reach only 50% of the network. With smart algorithms this can be advantageous as these relays have a higher chance of being able to serve people from these countries, while being able to escape the Great Firewall. I imagine a Chinese user connecting to a Chinese bridge which connects to a relay outside of the country, etc. This bridge may not be able to connect to every other relay, but if it properly advertises what it can reach that's fine. Of course this would allow an attacker to steer traffic, so a client may want to establish a slightly longer circuit and avoid going through more than X of these special hops. Having relays in places that are hard to reach allows people nearby to connect more easily to the network. Not doing so means we cannot support relays in countries with government-applied internet restrictions. It would be nice to see some discussion on this topic. Do we really want to stop people from donating bandwidth just because, simply put, they're from China? Tom PS: China is obviously just an example here - the same could apply to the USA. smime.p7s Description: S/MIME-cryptografische ondertekening ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Oubound Ports
On Fri, Jul 11, 2014, at 09:41 AM, Moritz Bartl wrote: > On 07/11/2014 11:33 AM, Roman Mamedov wrote: > > Agreed, but my point was that only a small minority of relays use port 22 > > (checked, 27 of them - more than I expected) or port 53 (just three relays), > > so it may be a sacrifice that's worth making, in order to avoid losing the > > ability to run Tor altogether due to being kicked out by your ISP. > > I don't see the point in blocking arbitrary outgoing ports for an > application that is not going to make any connections other than relay > connections. The danger of Tor misbehaving on port 22 or port 53 is the > same as on any other port. > > > Some time ago I proposed that Tor flags some ports as being unacceptable as > > ORPort[1], but this did not gather much of a momentum. > > A port is a number. None of them is special. I really don't see any > reason to discriminate any. > > -- > Moritz Bartl > https://www.torservers.net/ I agree but it depends on the service provider. I've just recently begun running some relays and while one provider confirmed I could run a non-exit relay on their network, I was later flagged as abusive for too many outgoing connections on port 22. Their network monitoring software tripped the alert as possible SSH scan / exit relay activity. After a few days of working with them, the issue is finally resolved as they now understand it was not malicious and I am not operating an exit. While I still don't fully understand why my server connects over port 22 to some servers listed with the OR port of 443, I clearly have more to learn about Tor functionality. Regardless, many providers monitor proactively for malicious traffic patterns. Many outgoing connections on port 22 appear as SSH scans/brute forcing to a provider. 25 often appear as spam and 53 as DNS reflection attacks. I've worked with many providers that do not provide good support and will instantly suspend/terminate your service when they detect these traffic patterns. Some allow you to resume service after justification and the worst ones never resume your service or allow justification. While these are not providers that I'd recommend using when network diversity is important and more new users attempt to contribute to the network, this does cause additional obstacles when using some providers for hosting a relay. A port is a port but using ports 22, 25 and 53 in particular are definitely going to cause headaches for a subset of contributors. Regards, Ryan ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Oubound Ports
On 07/11/2014 11:33 AM, Roman Mamedov wrote: > Agreed, but my point was that only a small minority of relays use port 22 > (checked, 27 of them - more than I expected) or port 53 (just three relays), > so it may be a sacrifice that's worth making, in order to avoid losing the > ability to run Tor altogether due to being kicked out by your ISP. I don't see the point in blocking arbitrary outgoing ports for an application that is not going to make any connections other than relay connections. The danger of Tor misbehaving on port 22 or port 53 is the same as on any other port. > Some time ago I proposed that Tor flags some ports as being unacceptable as > ORPort[1], but this did not gather much of a momentum. A port is a number. None of them is special. I really don't see any reason to discriminate any. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exits behind a next-gen firewall? Opinions please
On 07/10/2014 07:23 PM, Jesse Victors wrote: > My ISP now tells me that they could reduce > the reports even further by routing the exits through a > "next-generation firewall" which apparently can detect an obvious > clearnet attack and drop that connection a few milliseconds after the > attack occurs. A "next-generation firewall" uses deep packet inspection(DPI) to analyze content as it crosses the firewall. We don't want to promote DPI, given Tor is used in many parts of the world to bypass DPI filtering and censorship. -- Andrew pgp 0x6B4D6475 https://www.torproject.org/ +1-781-948-1982 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Oubound Ports
On Friday 11 July 2014 11:02:00 Moritz Bartl wrote: > Correct. Your relay in any case needs to be able to connect to all > relays. Unfortunately the assumption that every relay is able to connect to any other relay does not hold. See https://trac.torproject.org/projects/tor/ticket/12131 If you find your relay in the top 100 of relays having either inbound or outbound connectivity issues, please fix it! Best, Robert signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Oubound Ports
On Fri, 11 Jul 2014 11:02:00 +0200 Moritz Bartl wrote: > > However one thing to consider would be to restrict outbound port 22 and > > port 53 > > outbound to not get into trouble with your provider due to suspicions of SSH > > bruteforcing / DNS reflection attacks. This will break a very small portion > > of > > circuits built via your relay, but hopefully solve more potential problems > > than this would cause. > > No! Tor is not able to detect this case, which will make client > connection silently fail, and make the user experience a sad experience. Agreed, but my point was that only a small minority of relays use port 22 (checked, 27 of them - more than I expected) or port 53 (just three relays), so it may be a sacrifice that's worth making, in order to avoid losing the ability to run Tor altogether due to being kicked out by your ISP. Some time ago I proposed that Tor flags some ports as being unacceptable as ORPort[1], but this did not gather much of a momentum. Meanwhile, especially port 53 relays continue causing real problems[2] with ISPs. Running a relay on ports like 22 and 53 should be considered downright rude to your fellow relay operators. [1] https://lists.torproject.org/pipermail/tor-talk/2014-June/033173.html [2] https://lists.torproject.org/pipermail/tor-relays/2014-May/004562.html -- With respect, Roman signature.asc Description: PGP signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Oubound Ports
Hi Greg, Thanks for running a relay! You do not need to firewall outbound traffic. On 07/11/2014 05:30 AM, Roman Mamedov wrote: > You do need to have all ports open outbound. > The reason is, your relay needs to be able to connect to all other relays, and > people run their relays on all sorts of weird ports. Correct. Your relay in any case needs to be able to connect to all relays. You could extract the list of IP:Port pairs from your running Tor relay and then update your local firewall accordingly, but I would just allow Tor to connect to all outbound addresses. In the case of an exit relay, it obviously needs to be able to reach everything out there, on any TCP port. > However one thing to consider would be to restrict outbound port 22 and port > 53 > outbound to not get into trouble with your provider due to suspicions of SSH > bruteforcing / DNS reflection attacks. This will break a very small portion of > circuits built via your relay, but hopefully solve more potential problems > than this would cause. No! Tor is not able to detect this case, which will make client connection silently fail, and make the user experience a sad experience. You can restrict any other traffic leaving your machine, but the Tor process needs to be able to fully mesh with all other relays, and, in the case of exits, be able to reach all the rest of the internet. -- Moritz Bartl https://www.torservers.net/ ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays