As documented with the attached mail the eBlocker is connecting the TOR network also if the user connecting via VPN. As an result of this my firewall display the following message:
Threat Management Alert 2: Misc Attack. Signature ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 363. From: 192.99.220.114:9001, to: 10.1.2.2:37968, protocol: TCP
The workaround included in the attached mail unfortunately do not solve the problem.
Change request:
- Based on the fact that the eBlocker is installed in the home network the user shut know, for transparency reasons, about the TOR traffic in the network. This mean that this situation needs to be documented.
- I ask for the implementation of a software switch to stop the eBlocker to connect to TOR network.
Outgoing connection example:
IPS BLOCK: IN=eth0.60 OUT=eth2MAC=b4:fb:e4:29:e8:71:52:e0:e0:aa:de:74:08:00:45:00:00:b2 SRC=10.1.2.2DST=54.36.237.163 LEN=178 TOS=0x00 PREC=0x00 TTL=63 ID=48260 DF PROTO=TCPSPT=59155 DPT=443 WINDOW=130 RES=0x00 ACK PSH URGP=0
Incoming connection example:
IPS BLOCK: IN=eth2OUT=eth0.60 MAC=b4:fb:e4:29:e8:73:e0:28:6d:a5:48:3f:08:00 SRC=54.36.237.163DST=10.1.2.2 LEN=52 TOS=0x00 PREC=0x00 TTL=50 ID=52894 DF PROTO=TCP SPT=443DPT=59155 WINDOW=235 RES=0x00 ACK FIN URGP=0
Mail eBlocker Support:
Sehr geehrter Herr xxxx,
der auf dem eBlocker integrierte Tor-Client verbindet sich mit dem Tor-Netzwerk, um die Liste der aktiven Tor-Knoten abzugleichen. Dies tut der Client beim Hochfahren und in regelmäßigen Abständen automatisch, auch wenn kein Gerät Tor nutzt.
Ich habe der Entwicklung ein Ticket eingestellt, dass der Tor-Client optional abgeschaltet werden kann, bzw. erst dann eingeschaltet wird, wenn ein Gerät Tor nutzen soll.
Leider kann ich Ihnen keinen Termin nennen, wann diese Option eingebaut sein wird.
In der Zwischenzeit wäre es für Sie vermutlich am einfachsten, wenn Sie die Adressen der Directory-Authorities auf Ihrer Firewall sperren:
https://metrics.torproject.org/rs.html#search/flag:authority
Dann sollte der Tor-Client keine Möglichkeit haben, die Liste der aktiven Tor-Knoten zu laden.
Mit freundlichem Gruß aus Hamburg / Best regards from Hamburg
i.A.
Sebastian Keller
As an result of this my firewall display the following message:
Next to the message, what‘s the issue? I don‘t understand the problem.
If you feel this is a feature request, you might want to post it in the corresponding forum and have others vote for it.
The problem is that I have inside of my LAN environment TOR traffic also if I don't use TOR. This traffic is caused only because the eBlocker is connecting to periodically to the TOR network. And this need to be fixed because user want to control the traffic inside of LAN environment. This is also part of the network security and privacy that you try to defend. I think that the majority of the eBlocker user don't know there is this kind of traffic inside of the network.
I think that the majority of the eBlocker user don't know there is this kind of traffic inside of the network.
PLS then post it in the Feature Request Forum and let the community vote.
With your feature request, you might want to consider going more into detail about the security risk. I‘m personally not aware what the attack vector you feel is here.
Personally I don‘t care much about some TOR packets in my network. If I were you - I would just block these in your FW. That‘s faster and more „under your control“ than any implementation that might take place in future...
THX!
@ticinogrigioni I'm with @random and like to understand the risks involved in Tor-traffic better. Could you please explain this a little more or guide us to some Internet resources...?
For your background: The current Tor concept was implemented with speed in mind. If the Tor communication is enabled in eBlocker you are instantly routing all traffic thru Tor without any delay.
Otherwise users would need to wait - in the worst case for minutes - to establish a Tor connection. So we did the implementation purposely for a great user experience - and so far everybody has been happy.
But if there are risks involved, of course we are eager to know. Then we might find a volunteer to get this changed 🤔 😉 Or if you feel like changing it: we'd love to welcome you to the team.
Thanks much.