[kwlug-disc] netalyzr/ispgeeks interpreting [was: Re: Reliable Broadband speed test]

Cedric Puddy cedric at thinkers.org
Mon Mar 7 17:17:48 EST 2011 

Yeah, agreed, TOR end nodes are best set up on dedicated IP addresses that do not share with other non-TOR traffic.  

Philosophically, the ideal is that everyone would run a TOR end-point, and all TOR traffic would be so intermingled with other traffic that doing IP filtering would not be a practical means of excluding TOR users (eg: you'd have to use actual abuse of service as your metric for blocking given sessions! :).

This is a bit of pot calling the kettle black, of course.  There are a relatively small number of networks/ISPs that seem to account for the majority of "hack attempts" on our servers, and we've largely given up on any "nuanced" approach to handling them -- if an IP or class-C or even class-B is making enough noise that we're getting to recognize it, then we'll probably just block it.  It's not really the way we'd ideally behave, but even with those blocks being dropped, we still get mountains of crap in the logs.  Come to think of it, aggressive port/vulnerability scanning on other peoples network isn't really the way random strangers would ideally behave either, so in an ends-justify-the-means sort of way, there's balance here.  :)

One day, I'll have a nice hobby network that I can spend my days lovingly tuning IDS/IPS systems to the nth degree such that I never turn away a legitimate packet of pure intent, and deep six 99% of all crap packets as they cross magic threshold.  Hmmmmmm.

-Cedric



On 2011-03-07, at 2:05 PM, Richard Weait wrote:

> On Sun, Mar 6, 2011 at 1:26 PM, Kyle Spaans <3lucid at gmail.com> wrote:
>> On Sun, Mar 6, 2011 at 9:39 AM, unsolicited <unsolicited at swiz.ca> wrote:
>>> Any particular experience, or truth in advertising?
>> 
> 
>> So in conclusion, I would say that TOR does exactly what it claims to
>> do. The only problems is that it could be doing it faster, and they
>> are working on it. :P I hope that answers your questions?
>> 
>> (Disclaimer: this is all hearsay, I've never actually used TOR myself.)
> 
> I have.  I ran a tor end point for a little while.
> 
> It was fairly popular.  I configured it for some reasonable
> bandwidth-rate and let it go.  The bandwidth I provided was consumed
> within a few hours and never dropped.  If you build a TOR node; They
> will come.   A few days later is was unable to use IRC as the network
> had a "no connections from TOR nodes policy."  They do that to avoid
> bad people who hide behind TOR.  My traffic, while not passing through
> TOR was coming from a TOR endpoint, and so could well have been coming
> from TOR.  Other services started to refuse my connections as well and
> that was the end of my experiment with operating a TOR endpoint.
> 
> Endpoints are critical to TOR.  If you can run a TOR endpoint, and you
> support the goals of TOR, you should run an endpoint.
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

|  CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
|  118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-489-0478
\________________________________________________________
   Cedric Puddy, IS Director            cedric at thinkers.org
     PGP Key Available at:              http://www.thinkers.org/cedric

More information about the kwlug-disc mailing list