[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: eliminating bogus port 43 exits
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: eliminating bogus port 43 exits
- From: grarpamp <grarpamp@xxxxxxxxx>
- Date: Sat, 13 Jun 2009 15:09:22 -0400
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Sat, 13 Jun 2009 15:09:26 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=wfiKD4qJJ5gcYDbj+nwkop5j8/u+xF8kcBIMMtgRz44=; b=xsI0+xXPMyTcK828rIzIdvnF3WON7SLEOUxuWOvJbIrNzFIJY9xn1CgFPRKvz5ajPY +cuP/B4j3IVR9M6KD6edbG+nzFrt5E/pjh0hEBiLUcXwT5QKDOlvb0aJp36I/vV45Wwn HfRETR0rowXhjRDksNZDbQPpVl+z0jZLqza8M=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=V01KSq90yn1Otyn2XlBwxk8ALAFD9wUnCM4xNNmJxH3LPenmm4DQ7SaK6Gw4BkUVEd uESoBCHuEVCB8U3cI0Y57JTRie/tj5Yan6DMOYrxOxSf1Yb7jVjG53UN2tOnrD/DxiWQ 77jnXqzSDRJm+KtHrHsg6ByW6+6XkvIFJDWmk=
- In-reply-to: <4A33D1DD.5070605@xxxxxxxxxxxxxxxxxx>
- References: <200906130759.n5D7xUpZ008577@xxxxxxxxxxxxx> <4A33D1DD.5070605@xxxxxxxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
One person's legit is another's bogus. It's always been that way.
Other than routing, the use of the internet is partly chaos and
it's not changing any time soon. "Packets found on an internet",
they exist, therefore they are, deal with it. So let's forget about
this port number legitimacy thing.
Further, some of us are real world network operators. We routinely
sniff and record traffic as part of our jobs. In fact, if we did
not, we would be very ineffective in our positions. Sniff if you
want, don't if you don't. So we can also throw this argument out
the window as to each their own.
What we really want to know as network operators is what exactly
IS going on in this case. And a simple count of SYN's is not enough
for some operators to make a decision regarding their rulesets.
Because for all they know, that traffic may indeed be diplomatic
communications with the Borg that are keeping our planet from being
assimilated. And well, unless you're Borg, or wish to become one,
that's pretty legitimate :)
Sniff that thing out, bring the full stats, write a whitepaper.
Operators will look at it and make their own choices.
Storing/grokking a days worth of tcp/43 sessions to find what percent
of them have whois strings should be easy. As should tallying up
the top ten whois queries and a distribution curve. That could help
determine if it's some clients gone haywire or normal. Though
somewhat like a ping someone left running, over Tor you'd just have
to wait it out. Classifying and counting the non whois sessions
would be harder but definitely interesting.
If I was running an exit I would have already done and posted this
for you all, but I'm not at the moment, so I can't. I yield the
podium to my esteemed and valued peers on this list :)