This is a very slick tool that allows you to forward ports from your local machine to a public server at `bore.pub`.
I hope this service will continue to be available, however it looks to me as if this service is very easily abused (e.g. by spreading illegal content). But even if it just gets popular there are bandwidth costs which may run high quickly, if you have a few 100 heavy users.
If the author is here:
- How much of a concern is this for you?
- Do you have plans to offset the bandwidth fees?
- The backend is a single host, right? When would you need to scale this?
I used to provide a public instance of sish (a similar app) [0] and can say abuse is most definitely a problem. People were using sish for command-and-control servers, especially because it used only SSH for establishing tunnels. It was specifically chosen because nothing else needed to be installed. Really only worth it if a service provider (DO, AWS, etc) provides free compute and acknowledges the risk involved.
Interesting! Thanks for sharing your story. I'll keep an eye out for abuse of the kind you mention. Maybe if that seems to be an issue, I'd turn off the explicit `--port` option on the public server, which would only allow randomly assigned ports.
- Yes, this will be quickly abused now it has been made more public, unless the service at bore.pub has the shared secret set (have you tried to connect?).
- The service may currently be running on a host that has “unlimited” bandwidth as a limited speed, so there may be no extra bandwidth feeds to offset (though the bandwidth will be increasingly saturated and so progressively much slower for each active connection).
- I don't think scaling was intended, more than people would run their own version on their own service. Scaling could be achieved to an extent with a fatter bandwidth allowance (a faster rate cap, if I'm right about that being the limit not a fixed bandwidth cap). Unless the service is running on a very fast link on a very slow (or congested) CPU, bandwidth will likely be the limiting factor not anything else. If the process is large and forks for each connection then memory could be a limitation, but that could be increased easily or you could have multiple servers on the same name using a load-balancer or simple round-robin DNS.
Though I'm not sure what this offers beyond using a reverse SSH tunnel, if you have your own server/VM to host it on. Of course if you do not have your own external server but an account on someone else's which does not allow tunnels like that then this tool could be useful, but you could also get your own VM with full access for not much more than $1/month.
See my comment below about differences in goals from remote SSH port forwarding (which I also use regularly).
Scaling issues are not a problem for me, but thank you for your concern. The nice thing about scaling is that you only have to worry about it if your service is used a lot, and bore is just a small hobby project. I mention in the FAQ where I’m currently at with CPU/memory usage and network egress; it’s very cheap and not even close to hitting limits. (thanks Rust!)
It's not really a user concern. It's highlighting that open relays like this are infamously abused and the people that run them can face pretty serious investigations or worse. It would not be fun to be woken up by interpol or the FBI yanking you out of bed with guns drawn because someone was using your public bore.pub service to host or send malicious or criminal content, control a botnet, etc.
Wow, that’s pretty violent. Excuse me! Bore is just a proxy I wrote on a train ride home, and I’m making it public for its own sake. I’d honestly rather you not make intimidating suggestions towards threats like this.
It's not useful to bury your head in the sand and write it off as an intimidating suggestion. Take a look at the Tor relay operations faq [1].
> Has anyone ever been sued or prosecuted for running Tor?
> Although we are not aware of an individual being sued, prosecuted, or convicted for running a Tor relay, law enforcement in the United States and other countries has occasionally mistakenly investigated individuals running a Tor relay. We believe that running a Tor relay, including an exit relay that allows people to anonymously send and receive traffic, is legal under U.S. law. Law enforcement, however, often misunderstands how Tor works and has occasionally attributed illegal traffic on the network as originating from a Tor exit relay. This has resulted in police suspecting Tor relay operators of crimes and sometimes seizing computer equipment, including Tor relays. For example, in 2016 Seattle police mistakenly raided the home of a privacy activist operating a Tor exit relay. And Russian authorities wrongfully arrested math instructor and Tor relay operator Dmitry Bogatov, though they later cleared him of charges.
This isn't a threat, this is a warning to be careful about how police and investigators operate with little knowledge of how the internet actually works. If someone were hosting a web server with child porn tunneled through your bore.pub service the authorities would only see bore.pub IPs in traffic logs, and they would definitely contact the DNS and IP block owner to figure exactly who runs that bore.pub server (you) and get a warrant to seize their computers.
It can be used as an anonymous reverse proxy, meaning it could be used to host malicious or illegal files on a malicious users computer, while making it more difficult to trace back to them. Any complaints will have the service IP address rather than the malicious users, meaning the server host is the first person the feds will be questioning during an investigation. And when I say questioning, I mean potentially publicly arresting the host for child porn or similar, destroying their life (despite being innocent), or holing the hosts computer equipment as evidence for months / years as part of the crime, even with irrefutable proof of innocence on behalf of the host.
On the things not to host, a public variant of this would be at the top of my list, right next to tor exit nodes.
don't do that, since crypto mining exist let people access to your machine means they gonna make you mine monero, that's what happens to kill public Unix systems, tradition who start in the early 80s.
but i probably use this to test mobile-web, sometime web APIs, like cameras doesn't work consistently between chrome pc and chrome android for example, let you test this solution in real hardware Without need to deploy.
I hope this service will continue to be available, however it looks to me as if this service is very easily abused (e.g. by spreading illegal content). But even if it just gets popular there are bandwidth costs which may run high quickly, if you have a few 100 heavy users.
If the author is here:
- How much of a concern is this for you?
- Do you have plans to offset the bandwidth fees?
- The backend is a single host, right? When would you need to scale this?