[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Problematic ORPorts


Recently on this mailing list and on tor-relays there have been some cases
when relay nodes using standard ports commonly used for other services as
their ORPort cause issues with ISPs of someone else running a relay.

Notably once a relay on port 53 have triggered "high DNS traffic anomaly" IDS
warning from the provider and almost(?) had the user's account terminated. DNS
port 53 is commonly used for DNS reflection DDoS attacks, and apparently now
ISPs have deployed measures to detect (and misdetect) these.

In one more case a relay on port 22 had the user suspicious that an SSH
brute-forcing may be going on.

And finally an ISP has suspended a relay node VPS of someone I know on a
suspicion of "having been hacked"; there was no further information on the
basis of such suspicion, but thinking about it, it's entirely plausible that
many outgoing connections to port 22 could have been the trigger.

Large amounts of traffic and a high count of open connections to these ports
is now one (and perhaps the first) case when running a non-exit relay *may*
get you in trouble with your provider.

So my idea is, maybe consider making directory authorities blacklist some
ports as being unacceptable as ORPorts, 22 and 53 come to mind for a start,
along with maybe 25 to avoid false alarms from anti-spam countermeasures.

With respect,

Attachment: signature.asc
Description: PGP signature

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to