[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: reconsidering default exit policy



At 21:15 -0500 on 2005-08-28, Arrakis Tor wrote:
> You could remote control a trojan through any port which was
> compromised on the host, I would think.


I think you're looking at the streams the wrong direction there.  Because
typical firewalls block inbound connections while allowing outbound,
shellcode, PHP exploits, etc. are often used to download IRC bots, which
then connect out to public IRC servers on standard IRC ports and await
commands.

Using non-standard IRC ports (and non-IRC protocols) for such traffic has a
benefit and a few drawbacks.  The benefit is that trivial IRC watchers
won't easily detect it.  The drawbacks are that the server network isn't
going to be extensive (likely not more than one machine), leading to
throughput problems, and that it'll be disabled once discovered.

Of course, bots won't generally use tor nodes for their IRC connections.
But the controllers of those bots often will try to use tor.

For that reason, it can make sense to refuse connections to default IRC
ports on IRC servers from your tor node.  You may feel that IRC is one of
those protocols that, like SMTP and NNTP, is aggressively unauthenticated
and prone to abuse.


Richard