[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: eliminating bogus port 43 exits



Hi Scott,

Got a couple of questions.

- Have you looked deeper into the request for port 43, using tcpdump or Wireshark?  
- Do you KNOW that it is a WHOIS request, not OpenVPN or something else running on the WHOIS port?  
- Have you logged what IP's are being connected to?  

I just curious, as this seems to be really odd to me that so many WHOIS request are going through Tor.
I'm almost curious enough to run a exit node now just to see what might be going on.

- Kyle


On Fri, Jun 12, 2009 at 12:29 AM, Scott Bennett <bennett@xxxxxxxxxx> wrote:
    A bit over a month ago, I posted here some exit statistics by port number.
One major oddity among them was the count of port 43 (whois) exits, which
seemed extraordinarily large, especially in relation to the counts for other,
more expectedly popular port numbers.  Some of the comments I got in response
gave me an idea.  In the what follows here, keep in mind that the second most
frequently occurring exit port number in the statistics previously reported
was 443 (https), and that the count of port 43 exits was in the millions when
the count of port 443 exits was several hundred thousand.  It is important to
note that my node's exit policy regarding port 80 (http) is highly restrictive,
resulting in very low exit counts for that port.  Keeping that in mind, the
exit counts for almost all other ports were not and are not similarly
restricted.
    I replaced the "ExitPolicy accept *:43" in my torrc file with the
following:

###---Limited list of allowed whois exit addresses
ExitPolicy accept 192.103.19.12:43      # whois access to whois.6bone.net
ExitPolicy accept 192.149.252.44:43     # whois access to whois.arin.net
ExitPolicy accept 193.0.0.135:43        # whois access to whois.ripe.net
ExitPolicy accept 194.85.119.77:43      # whois access to whois.ripn.net
ExitPolicy accept 196.216.2.1:43        # whois access to whois.afrinic.net
ExitPolicy accept 198.108.0.18:43       # whois access to whois.ra{,db}.net
ExitPolicy accept 199.7.51.74:43        # whois access to whois.crsnic.net
ExitPolicy accept 199.7.55.74:43        # whois access to whois.internic.net
ExitPolicy accept 199.43.0.144:43       # whois access to whois.arin.net
ExitPolicy accept 200.160.2.3:43        # whois access to whois.registro.br
ExitPolicy accept 200.160.2.15:43       # whois access to whois.lacnic.net
ExitPolicy accept 202.12.29.13:43       # whois access to whois.apnic.net
ExitPolicy accept 202.30.50.120:43      # whois access to whois.krnic.net
ExitPolicy accept 205.178.188.12:43     # whois access to whois.networksolutions.com
ExitPolicy accept 206.51.224.229:43     # whois access to whois.nic.gov
ExitPolicy accept 208.77.188.18:43      # whois access to whois.icann.org
ExitPolicy accept 208.77.188.87:43      # whois access to whois.iana.org
ExitPolicy reject *:43          # nicname whois
###---End of whois exit policy specifications

    The relationship now between the exit counts for ports 43 and 443 in the
last few days since I switched to 0.2.1.15-rc with Nick's patch applied looks
like this:

 439 Exit to port 43
72052 Exit to port 443

In other words, by restricting just port 43 exits to only the legitimate whois
IP addresses, I eliminated at least 70% of *all* exits through my tor node,
which suggests to me that the vast, overwhelming majority of exits from the
tor network are illegitimate and place a terribly taxing load upon the tor
network as a whole.  This apparent fact, in turn, suggests that if a) all
tor nodes with an explicit exit policy were to restrict port 443 exits to
just the legitimate port 43 IP addresses and b) the tor default exit policy
did the same, a huge and illegitimate load would be lifted from the tor network
overall.  If no relays offer exits to port 43 that don't go to the NICs' whois
servers, well over half of all tor exits, which are illegitimate and
undeserving of service in the first place, will be eliminated (not counting
typical port 80 (http) traffic, of course).
    Because my node's exit policy for port 80 (http) is not wide open, it is
hard for me to estimate the relative importance of bogus port 43 requests
w.r.t. legitimate port 80 (http) requests.  Because of my node's limited port
80 exit policy, I would be *very* interested in seeing exit counts for nodes
with unrestricted exit policies for the combination of ports 43, 80, and 443
in order to get a better idea of their relative importances.
    Nevertheless, the impact of eliminating those exit opportunities can be
expected to be quite significant in terms of performance of the network
overall, particularly because circuits will not need to be built in the first
place for such requests.  If even a few relays continue to offer unrestricted
exits for port 43, they will get so badly hammered by all the bogus exit
requests that they will cease to be important to normal operations of the tor
network until such time as they may modify their exit policies to be more in
tune with valid use of the tor network, rather than use by some sort of port
scanner or whatever junk software is currently consuming so much of the tor
network's resources, except to the extent that such non-conforming nodes would
be incurring the cost of the circuits to reach them for the exit service.
    Please note also that changing the default exit policy and most tor node's
explicit exit policies to the above specification would not prevent tor exit
node operators from adding other legitimate whois servers' IP addresses to
their exit policies.
    Therefore, I encourage all tor exit node operators to make the above
described change to the exit policies of their exit nodes.  (Feel free to copy
and paste.)  I further suggest that the default exit policy for tor be modified
in all future releases of both the stable and development branches of tor to
have the exit policy for port 43 shown above, as modified from time to time as
the NICs' whois server addresses may change.
    Comments are both welcome and encouraged.


                                 Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************