[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: reconsidering default exit policy

To: or-talk@xxxxxxxxxxxxx
Subject: Re: reconsidering default exit policy
From: "Richard Johnson" <rdump@xxxxxxxxx>
Date: Mon, 29 Aug 2005 09:05:33 -0600
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Mon, 29 Aug 2005 11:09:30 -0400
In-reply-to: <7d9163f3050828191515f6e4a2@mail.gmail.com>
References: <7d9163f305082808495f351068@mail.gmail.com> <20050828160250.GH10005@opium.palfrader.org> <7d9163f305082811146910667e@mail.gmail.com> <20050828181838.GL30236@northernsecurity.net> <7d9163f30508281902aa1d4cf@mail.gmail.com> <43126D67.6030502@algae-world.com> <7d9163f3050828191515f6e4a2@mail.gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

At 21:15 -0500 on 2005-08-28, Arrakis Tor wrote:
> You could remote control a trojan through any port which was
> compromised on the host, I would think.

I think you're looking at the streams the wrong direction there.  Because
typical firewalls block inbound connections while allowing outbound,
shellcode, PHP exploits, etc. are often used to download IRC bots, which
then connect out to public IRC servers on standard IRC ports and await
commands.

Using non-standard IRC ports (and non-IRC protocols) for such traffic has a
benefit and a few drawbacks.  The benefit is that trivial IRC watchers
won't easily detect it.  The drawbacks are that the server network isn't
going to be extensive (likely not more than one machine), leading to
throughput problems, and that it'll be disabled once discovered.

Of course, bots won't generally use tor nodes for their IRC connections.
But the controllers of those bots often will try to use tor.

For that reason, it can make sense to refuse connections to default IRC
ports on IRC servers from your tor node.  You may feel that IRC is one of
those protocols that, like SMTP and NNTP, is aggressively unauthenticated
and prone to abuse.

Richard

Follow-Ups:
- Re: reconsidering default exit policy
  - From: Chris Palmer

References:
- Re: reconsidering default exit policy
  - From: Arrakis Tor
- Re: reconsidering default exit policy
  - From: Arrakis Tor
- Re: reconsidering default exit policy
  - From: Thomas Sjögren
- Re: reconsidering default exit policy
  - From: Arrakis Tor
- Re: reconsidering default exit policy
  - From: tor
- Re: reconsidering default exit policy
  - From: Arrakis Tor

Prev by Author: Re: reconsidering default exit policy
Next by Author: Re: reconsidering default exit policy
Previous by thread: Re: reconsidering default exit policy
Next by thread: Re: reconsidering default exit policy
Index(es):
- Author
- Thread