Hello, Recently on this mailing list and on tor-relays there have been some cases when relay nodes using standard ports commonly used for other services as their ORPort cause issues with ISPs of someone else running a relay. Notably once a relay on port 53 have triggered "high DNS traffic anomaly" IDS warning from the provider and almost(?) had the user's account terminated. DNS port 53 is commonly used for DNS reflection DDoS attacks, and apparently now ISPs have deployed measures to detect (and misdetect) these. In one more case a relay on port 22 had the user suspicious that an SSH brute-forcing may be going on. And finally an ISP has suspended a relay node VPS of someone I know on a suspicion of "having been hacked"; there was no further information on the basis of such suspicion, but thinking about it, it's entirely plausible that many outgoing connections to port 22 could have been the trigger. Large amounts of traffic and a high count of open connections to these ports is now one (and perhaps the first) case when running a non-exit relay *may* get you in trouble with your provider. So my idea is, maybe consider making directory authorities blacklist some ports as being unacceptable as ORPorts, 22 and 53 come to mind for a start, along with maybe 25 to avoid false alarms from anti-spam countermeasures. -- With respect, Roman
Attachment:
signature.asc
Description: PGP signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk