[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Network Scan through Tor Exit Node (Port 80)



On Wednesday 09 March 2011 17:20:17 Chris Palmer wrote:
> On 03/09/2011 01:48 PM, Arjan wrote:
> >> We are saying hello on port 443, and then saying goodbye. Once. Using
> >> normal TCP and TLS handshaking, no tricks. For the good of the internet.
> >
> > That would be enough to get me in trouble with my ISP for performing
> > portscans (if I were running an exit node).
>
> And how would you, or anyone else, differentiate that from normal web
> browsing?

If a lot of those connection attempts are going to IP addresses with no host 
present, or hosts not running a webserver, it looks like portscanning. If 
almost all of the connection attempts are to webservers that have port 443 
open, it looks like normal https web browsing.

I have only one external address and only a few ports forwarded, so I can't 
detect portscans. I have noticed that an attempt to guess passwords on SSH is 
often, but not always, preceded by a connect and disconnect from the same IP 
address, which is probably part of a portscan. I don't block addresses that 
scan ports, but I do block addresses that try to guess passwords (not on the 
Tor box, just on the other one). The block expires in a day.

cmeclax

cmeclax
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays