[liberationtech] abuse control for Tor exit nodes [was: Twitter Underground Market Research - pdf]

Rich Kulawiec rsk at gsp.org
Thu Jun 27 05:07:20 PDT 2013 

On Wed, Jun 05, 2013 at 10:16:23PM -0700, Andy Isaacson wrote:
> This is a really deeply interesting assertion.  You seem to imagine a
> bright line of "abuse" that is agreed on by all parties, with a policy
> that can be implemented by thoughtful operators to "make the abuse
> stop".  I submit that that is not the real world, in many different
> dimensions.

[ Okay, so I have a long-winded response to this.  It's possible that
eventually I'll wander somewhere near a point. ;-) ]

Many people who are relatively new to the 'net haven't yet internalized
parts of the fundamental ethic that has allowed it to flourish.  There is
an implicit social contract that's far more important than any formal
legal document -- but because it's implicit and not overt, many don't
realize that it exists and that it serves a critical function.
One way to put it, if I might borrow a line from popular culture, is:

	"With great power, comes great responsibility."

Being connected to the Internet gives you incredible power.  Not because
of who *you* are -- because for all values of "you" (including "me"),
you are unimportant and expendable.  It gives you incredible power
because of *everyone else* out there.  By plugging in, you have --
whether you realize it or not, whether you acknowledge it or not --
tacitly committed yourself to living up to the responsibility that
accompanies the immense power you now have.

So like everyone else on the Internet -- from the tiniest single system
connected via a slow dialup line, to the largest distributed operation
imaginable -- you're responsible for everything your operation does to
everything and everyone else.  You don't get a free ride.  You don't
get to pass the blame along.  If there's abuse coming from YOUR system
on YOUR network on YOUR watch, then it's YOUR abuse.  You own it.
You're responsible for it.

It's always been that way -- and it has to be that way, otherwise the
Internet won't work because it can't work.  (And if you've been paying
attention during the past decade or two, you'll note that many components
of the 'net that aren't working very well are struggling for precisely
this reason.)

Responsible and ethical operations know this and design, budget, plan,
train, and staff accordingly.  Irresponsible and unethical operations
don't -- they just shrug their shoulders and try to slough off their
incompetence and negligence on someone else, often the rhetorical "they".

Now...everyone is probably going to leak a small amount of abuse from
time to time.  Software breaks.  Routers lose their minds.  Users do
silly things.  System admins make typos.  Security holes get
exploited.  Stuff...happens.

The expectation is that such incidents should be isolated and
sporadic -- and that effective remedial action (where "effective
remedial action" may require the root password and/or wirecutters)
will be taken promptly.   The reality is that many such incidents are
pervasive, sustained and completely unaddressed.  And that is why we,
for a global value of "we", find ourselves defending against myriad forms
of abuse, from ssh brute-force attacks to spam.  NONE of that abuse just
magically falls out of the sky: it all comes from somewhere...and that
"somewhere" is mostly "irresponsible, negligent, incompetent operations".

Note that this results in massive but silent cost-shifting: someone
has to deal with that abuse, because it doesn't just vanish.  It goes
somewhere.  It impacts other networks, systems and people.  And the
people responsible for defending those need to spend their resources
to deal with it, even though they had nothing to do with its origin.
The costs of doing so are enormous: just look at the subindustries
that exist to sell products to deal with this and consider that every
single dollar/euro/yen they ever make comes from someone paying
the price for others' negligence.

And they're making billions upon billions.

Consider, for example, that companies like Cloudflare and Prolexic
probably *would not exist* if it weren't for the ongoing epidemic
of abuse.

Here's another way to phrase that fundamental ethic, also borrowing a
line from popular culture:

	"The needs of the many outweigh the needs of the few."

No matter how big my operation or your operation or anyone's operation
becomes, it will always be "the few" when compared to the rest of the
Internet: "the many".  No single operation is ever more important than
all operations.  Not mine, not yours, not Google, not Reddit, not anything.

I did say I'd try to get near a point.  Alright, here goes: if you
run anything, including a Tor exit node, then you are personally,
fully responsible for all abuse sourced from that operation.  Which
means that you are responsible for figuring out how to detect it
and stuff a sock in it.  Maybe that's easy.  Maybe that's hard.
Doesn't matter: it's still your responsibility.  You signed up for
it, you implicitly agreed to it, when you plugged *your* operation
into *our* Internet.

My suggestion (and this is based on many other kinds of operations
since I've never run a Tor exit node) is to do what everyone should
do for every operation: use a bidirectional default-deny firewall.
Then punch holes in it as necessary to permit desired traffic.  Use netflows
to detect and squash things like brute-force attacks.  (In other
words, if you observe a serious spike in outbound ssh connection attempts,
then someone is using your node, and possibly others, to conduct an ssh
brute-force attack.  Rate-limit it.  Or just block it for a while.)
Another highly useful technique is rate-limiting based on passive
OS fingerprinting of the source: one application is to provide
severely limited SMTP bandwidth to anything fingerprinting as Windows.
Another is to use the Team Cymru bogon list.  And still another is
to use the Spamhaus DROP list, since nothing good can happen by permitting
traffic to/from those network ranges.

The "pf" firewall in various BSD distributions is a good choice
for implementing all this.  It also has the useful feature of being
rather resource-frugal: it's quite impressive how an old/slow box
running it can gracefully handle large traffic volumes.

But those are just suggestions and it's entirely possible that one or
more of them (except the first one) are not terribly useful in this
application.  That's up to you to find out.

---rsk

More information about the liberationtech mailing list