[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: eliminating bogus port 43 exits

To: Hans de Hartog <dehartog@xxxxxxxxxx>, or-talk@xxxxxxxxxxxxx
Subject: Re: eliminating bogus port 43 exits
From: Scott Bennett <bennett@xxxxxxxxxx>
Date: Fri, 3 Jul 2009 03:56:13 -0500 (CDT)
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Fri, 03 Jul 2009 04:56:57 -0400
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx

     On Fri, 03 Jul 2009 10:25:41 +0200 Hans de Hartog <dehartog@xxxxxxxxxx>
wrote:
>Hans de Hartog wrote:
>> Scott Bennett wrote:
>>>      Unfortunately, the above method is unlikely to see more than a tiny
>>> fraction of the port 43 exits, which are usually of very short duration.
>>>      Instead, try turning on info-level logging.  Then you can use 
>>> something
>>> like
>>>
>>> /usr/bin/fgrep connection_edge_finished_connecting 
>>> /var/log/tor/info.log | \
>>>  nice +14 /usr/bin/sed -e 's/connection_edge_finished_connecting(): 
>>> Exit connection to \[scrubbed\]:/Exit to port /' -e 's/(\[scrubbed\]) 
>>> //' -e 's/(.* established.//' -e 's/\ established.//' -e 's/ 1499//' | \
>>>   nice +14 sort -n -g +7 -8 | uniq -c -f 7
>>>
>>> (Beware of linewrap in the line containing the /usr/bin/sed 
>>> command.)  Note
>>> that your paths, options to sort(1) and uniq(1), etc. may vary, 
>>> depending
>>> upon your operating system.  This example works properly for 
>>> FreeBSD.  Also,
>>> use of nice is obviously optional, but a good idea if you're sharing 
>>> a system
>>> with other users at the same time.  Output from the above looks like 
>>> this:
>>>
>>>   39 Jun 14 03:19:02.223 [info] Exit to port 443
>>>    1 Jun 14 03:16:21.795 [info] Exit to port 6001
>>>    1 Jun 14 03:19:20.310 [info] Exit to port 6010
>>>    1 Jun 14 03:16:24.275 [info] Exit to port 6666
>>>
>>> and so on, where the number at the lefthand side is the number of 
>>> exits for
>>> that port, and the date+timestamp is from the first occurrence in the 
>>> log file
>>> of an exit for that port.  You may wish to change the final form of 
>>> the output
>>> lines to suit your own taste.
>>>      I think you'll find that scanning an info-level log file gives 
>>> you a
>>> very different result from looking at periodic samplings of 
>>> netstat(1) output.
>> As promised, here are the results of Scott's script
>> 24 hours after switching on info logging:
>>
>> Sorted by port number (for ports < 1000)
>>   11 Jun 14 12:05:48.178 [info] Exit to port 21
>>    3 Jun 14 22:15:29.243 [info] Exit to port 22
>>    1 Jun 15 05:12:38.435 [info] Exit to port 29
>> 1191 Jun 14 11:51:28.925 [info] Exit to port 43
>>    2 Jun 15 03:39:32.109 [info] Exit to port 53
>>    1 Jun 14 12:54:54.073 [info] Exit to port 57
>>    2 Jun 15 05:19:21.415 [info] Exit to port 64
>> 24043 Jun 14 11:07:00.997 [info] Exit to port 80
>>   25 Jun 14 12:37:02.716 [info] Exit to port 81
>>    5 Jun 14 11:29:10.296 [info] Exit to port 82
>>    2 Jun 14 16:34:00.878 [info] Exit to port 83
>>    3 Jun 14 18:04:02.749 [info] Exit to port 84
>>    5 Jun 14 11:16:10.207 [info] Exit to port 85
>>    1 Jun 14 14:52:40.523 [info] Exit to port 86
>>    4 Jun 14 13:41:44.467 [info] Exit to port 87
>>    3 Jun 14 16:34:02.507 [info] Exit to port 89
>>    1 Jun 15 04:44:09.560 [info] Exit to port 90
>>    1 Jun 15 04:27:40.454 [info] Exit to port 91
>>    1 Jun 14 23:32:00.738 [info] Exit to port 92
>>    1 Jun 15 01:24:52.137 [info] Exit to port 95
>>    1 Jun 14 16:12:14.378 [info] Exit to port 96
>>    4 Jun 15 00:03:03.627 [info] Exit to port 98
>>    4 Jun 14 16:08:53.067 [info] Exit to port 99
>>    1 Jun 15 03:42:39.595 [info] Exit to port 101
>>    2 Jun 14 14:00:35.252 [info] Exit to port 102
>>    1 Jun 14 18:04:49.153 [info] Exit to port 104
>>    1 Jun 14 11:38:37.984 [info] Exit to port 109
>>   48 Jun 14 14:38:07.948 [info] Exit to port 110
>>    6 Jun 14 15:22:22.942 [info] Exit to port 119
>>  541 Jun 14 12:00:24.675 [info] Exit to port 187
>>    1 Jun 14 21:36:46.609 [info] Exit to port 400
>>    1 Jun 15 04:55:13.365 [info] Exit to port 411
>>    1 Jun 14 19:16:05.586 [info] Exit to port 442
>> 2193 Jun 14 11:43:03.144 [info] Exit to port 443
>>    1 Jun 14 15:23:54.915 [info] Exit to port 462
>>    1 Jun 15 01:09:02.965 [info] Exit to port 554
>>    1 Jun 14 15:32:29.782 [info] Exit to port 623
>>    1 Jun 15 00:03:11.737 [info] Exit to port 666
>>    1 Jun 15 02:19:05.865 [info] Exit to port 800
>>    2 Jun 14 12:22:13.641 [info] Exit to port 808
>>    1 Jun 15 07:40:10.154 [info] Exit to port 809
>>    1 Jun 15 08:43:43.371 [info] Exit to port 888
>>   18 Jun 14 12:32:28.145 [info] Exit to port 995
>> <snip>
>>
>> Reverse sorted by count
>> 24043 Jun 14 11:07:00.997 [info] Exit to port 80
>> 2193 Jun 14 11:43:03.144 [info] Exit to port 443
>> 1191 Jun 14 11:51:28.925 [info] Exit to port 43
>>  541 Jun 14 12:00:24.675 [info] Exit to port 187
>>  464 Jun 14 11:26:03.550 [info] Exit to port 5001
>>  173 Jun 14 11:16:51.925 [info] Exit to port 2710
>>  165 Jun 14 11:12:34.809 [info] Exit to port 8080
>>  121 Jun 14 11:34:26.406 [info] Exit to port 6667
>>  119 Jun 14 11:26:27.558 [info] Exit to port 51413
>>   94 Jun 14 11:54:26.254 [info] Exit to port 7000
>>   89 Jun 14 11:24:18.469 [info] Exit to port 8000
>>   78 Jun 14 23:48:17.454 [info] Exit to port 5004
>>   62 Jun 14 13:36:26.436 [info] Exit to port 5050
>>   48 Jun 14 14:38:07.948 [info] Exit to port 110
>> <snip>
>>
>> Will blocking/restricting port 43 improve the performance
>> of the tor-network? Or do we need more info (e.g. KBs/port/sec)?
>>
>> Hans de Hartog
>>
>>
>>
>After running my exit node for two weeks with info logging
>switched on, my disk was getting full :-(
>So I switched off info logging and ran the script again
>(slightly changed to report percentages instead of counts)
>and here are the results:
>Port   percentage
> 80          63.5
>443          12.6
> 43           2.6
>187           1.0
>All other ports less than 1%
>
     Hnh.  That's interesting, even bizarre.  Maybe something has changed.
I guess I can try reopening port 43 and see what happens.  When I had it
wide open before, it soon exceeded the port 443 counts.  After a month or
more, the port 43 count was usually several times as high as the port 443
count.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

Prev by Author: Re: 25 tbreg relays in directory
Next by Author: help requested to file bug report
Previous by thread: Re: eliminating bogus port 43 exits
Next by thread: bad node
Index(es):
- Author
- Thread