My TOR exit node experience trying to filter out noisy traffic

Early this year i decided that’s time to run a TOR exit node so i brought a VPS at (because they are listed as a Good TOR ISP)and setup the exit-node with nickname with a 100Mbit/s connection for first 1TB of monthly data, then 10MBit/s flat.

It also run TOR2WEB software on .

I setup the exit-policy as suggested by running exit-node with minimal harassment and prepared an abuse response template.

In the first day i’ve been running the node i received immediately DMCA complain due to peer to peer traffic.

So i decided to filter-out some P2P traffic by using OpenDPI iptables module and DMCA complain automatically disappeared:

iptables -A OUTPUT -m opendpi -edonkey -gadugadu -fasttrack -gnutella -directconnect -bittorrent -winmx -soulseek -j REJECT

Then, because i am italian, i decided to avoid my TOR node to connect to the Italian internet address space in order to reduce the chance that a stupid prosecutor would wake me up at morning because did not understand that i am running a TOR node.

I tried, with the help of hellais that wrote a script to make Exit Policy reject statement, to reject all Italian netblocks based on ioerror’s blockfinder but we found that the torrc configuration files with +1000 lines was making TOR crash.

We went to open a ticket to report the crash about our attempt to block TOR exit policy by country and found a similar attempt where we contributed, but it still seems to be an open-issue.

The conclusion is that it’s not possible to make a Country Exit Policy for TOR exit node in a clean and polite way so i decided to go the dirty way by using iptables/geoip . After fighting to make it compile properly, it was one line of iptables to block traffic going to italy:

iptables -A OUTPUT -p tcp -m state -state NEW -m geoip -dst-cc IT -j REJECT

Now from my exit-node no connection to italian networks will be done and i am safe against possibly stupid prosecutors not understanding TOR (i have an exception for all TOR node ip address applied before).

After some other days i started to receive complains due to portscan activities originated from my tor nodes.

From my own point of view i want to support anonymity network, not anonymous hacking attempt and so i want to filter-out portscan and attacks from originating from my node.That’s a complex matter that require some study, so in the meantime i installed scanlogd and snort because i want to evaluate how many attacks, which kind of attacks are getting out from my TOR exit node.
Later i will try to arrange some kind of filtering to be sure to be able to filter out major attacks.
For what’s related to portscan it seems that there are no public tools to detect and filter outgoing portscan but only to filter incoming portscan so probably will need to write something ad-hoc.
I will refer how things are going and if there will be some nice way to implement in a lightwave way snort-inline to selectively filter-out major attack attempt originating from my exit-node.

My goal is to keep an exit node running in long-term (at least 1TB of traffic per months donated to TOR), reducing the effort related to ISP complain and trying to do my best to run the exit-node with a reasonable liability.

One comment

  • 1
    25 November 2011 - 1:32 pm | Permalink

    Why you run TOR if you try to filter all, you don’t understand what is TOR and with your action you just make it dirty.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *