Delivery-Date: Mon, 01 Feb 2016 08:26:37 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 9F9EC1E042E;
	Mon,  1 Feb 2016 08:26:35 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 7180839509;
	Mon,  1 Feb 2016 13:26:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 9E9FF39506
 for <tor-talk@lists.torproject.org>; Mon,  1 Feb 2016 13:26:29 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id t49ZqCUHAbux for <tor-talk@lists.torproject.org>;
 Mon,  1 Feb 2016 13:26:29 +0000 (UTC)
Received: from mail-lf0-f98.google.com (mail-lf0-f98.google.com
 [209.85.215.98])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 4D67C39504
 for <tor-talk@lists.torproject.org>; Mon,  1 Feb 2016 13:26:29 +0000 (UTC)
Received: by mail-lf0-f98.google.com with SMTP id s124so1203977lfs.3
 for <tor-talk@lists.torproject.org>; Mon, 01 Feb 2016 05:26:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :user-agent:in-reply-to:content-type:content-transfer-encoding;
 bh=fVgmnaJkX+riQQLBtSjTBCAXAIvV6LV2b8LXmGocBHM=;
 b=Tj9woXc7eVVSj97wndy0eMEr4kvYiYWLa75vqik8C8AikmEBazp/aWyYYG9CgV6Hyf
 drICCjqjqiwaOfD5Y8gWM3XmZ2i3Z7skDkEvQ2W6vAyXd0iBijnERuIyNnZsET4frYbs
 vRKIvhD3e5CoqP87flrVQ0TxGZMl+yT0PMaVibPkDhXx0W7im4aU+mByMLvQVdlvKXNv
 tDkhKPdPI8V7RyRxozcrd9aLAcSCZyx5wKqRoepmrqxjnaOFg5KJ+j2czj3NFhml7wMM
 aKWqvQFNCF0H4U7a0kr5emB0T3kkAYejwdgmEIIMrvGBGD8bfz1z3XcDL8dnCx+390VA
 P0Og==
X-Gm-Message-State: AG10YOTxZMdBcrtKO51w4okZCIOaZ0WpIUsTMbq0qQ6sSfiau8v3zPZGm8fVxGG9BK+hckUt431ejTcT5+aLnv+rCqUqPrtJ
X-Received: by 10.194.111.232 with SMTP id il8mr26552198wjb.150.1454333185956; 
 Mon, 01 Feb 2016 05:26:25 -0800 (PST)
Received: from apps.globaleaks.org (demo.globaleaks.org. [194.150.168.64])
 by smtp-relay.gmail.com with ESMTPS id j4sm782386wmg.0.2016.02.01.05.26.25
 for <tor-talk@lists.torproject.org>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 01 Feb 2016 05:26:25 -0800 (PST)
X-Relaying-Domain: apps.globaleaks.org
To: tor-talk@lists.torproject.org
References: <56AE1D6B.6060804@infosecurity.ch> <56AE2FB1.3060602@foofus.com>
From: "Fabio Pietrosanti (naif) - lists" <lists@infosecurity.ch>
X-Enigmail-Draft-Status: N1110
Message-ID: <56AF5CFF.8080203@infosecurity.ch>
Date: Mon, 1 Feb 2016 14:26:23 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0)
 Gecko/20100101 Thunderbird/38.5.1
In-Reply-To: <56AE2FB1.3060602@foofus.com>
Subject: Re: [tor-talk] Exit Traffic classification and discrimination
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Answers in-line.

On 1/31/16 5:00 PM, amuse wrote:
> Hi Fabio:
> 
> TLDR: No, I haven't and wouldn't try this.
> 
> 
> If I understand, you're asking "Why don't TOR operators discriminate on
> traffic by passing packets to popular, acceptable sites and
> discriminating against traffic headed "elsewhere" by re-routing it.
> 
> This view ignores a few fundamental facts underlying the very existence
> of TOR.

From the point of view of a Tor users, there's absolutely no change in
the Threat Model.

From the point of view of a Tor Relay operator, there would be a better
resiliency against takedown due to Abuses.


> 
> 1) That tools such as TOR exist specifically to enable that last 10% of
> "dangerous" traffic - given that every political regime gets to decide
> what they think is "Dangerous".  In Saudia Arabia, criticism of the king
> is dangerous traffic. In China, discussion of the Tienanmen square
> massacre is also dangerous. TOR exists specifically to facilitate this
> traffic.

We are not speaking about whats "Dangerous" for a Tor user, but what's
"Abuse-Generating" for  Tor Operator.

I think that most of those discussions you're referring to:
- does not trigger abuses being sent to the ISPs
- happens mostly on major internet platforms (let's say the top-30)

> 
> 2) That the most objectionable traffic will probably be going to a lot
> of the top-30 websites, as that's where political discussions need to be
> brought to gain any sort of critical mass to bring them out of anonymous
> online enclaves and translate them into real political activity.
> 
> Finally, I wonder whether you have any experience actually, in practice,
> trying to differentiate traffic as "abuse" from "not abuse". If there
> were any even close-to-accurate ways of doing this, I suspect ISP's
> would already be doing it and even your abusive TOR traffic would get
> dropped at peering connections.

When i used to run Tor Exit relays, i never received abuses coming from
traffic being directed to major internet websites (ie: google, facebook,
wikipedia, etc).

The ISPs are already doing that, it's called "Traffic Engineering", but
it's not done due toe "abuse" or "not abuse", because the abuses are not
a major issues for an ISP.

Abuses are a major issues for Tor operators, not for ISPs.

> 
> In practice, it's very difficult to tell if even "clearly abusive"
> traffic - say, XSS attempts or SQL injection scanners - are abuse by
> some annoying hackers, or research by someone trying to assess how many
> home IP cameras are vulnerable to being part of a botnet, or even an
> authorized pen-tester just checking out their client's distributed offices.

Any digital attacks attempt going trough Tor, has to be considered
abusive, because it generate abuses.

Btw if you try to make a web attacks against:
- Facebook or Google or  (no abuse received)
- A major abuse (abuse received)

That's why traffic engineering with such a multi-homing approach, could
really works differentiating traffic designated to
top-internet-destination (that does not generate abuses but may
represent most of the traffic) vs. rest of the internet (that's likely a
minor part of the traffic, but in this chunk there's surely the
abuse-generating one).

Btw it's not easy to be technically implemented

Fabio
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

