[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Problematic ORPorts
On 7 June 2014 10:14:20 GMT+01:00, Roman Mamedov <rm@xxxxxxxxxxx> wrote:
>Hello,
>
>Recently on this mailing list and on tor-relays there have been some
>cases
>when relay nodes using standard ports commonly used for other services
>as
>their ORPort cause issues with ISPs of someone else running a relay.
>
>Notably once a relay on port 53 have triggered "high DNS traffic
>anomaly" IDS
>warning from the provider and almost(?) had the user's account
>terminated. DNS
>port 53 is commonly used for DNS reflection DDoS attacks, and
>apparently now
>ISPs have deployed measures to detect (and misdetect) these.
>
>In one more case a relay on port 22 had the user suspicious that an SSH
>brute-forcing may be going on.
>
>And finally an ISP has suspended a relay node VPS of someone I know on
>a
>suspicion of "having been hacked"; there was no further information on
>the
>basis of such suspicion, but thinking about it, it's entirely plausible
>that
>many outgoing connections to port 22 could have been the trigger.
>
>Large amounts of traffic and a high count of open connections to these
>ports
>is now one (and perhaps the first) case when running a non-exit relay
>*may*
>get you in trouble with your provider.
>
>So my idea is, maybe consider making directory authorities blacklist
>some
>ports as being unacceptable as ORPorts, 22 and 53 come to mind for a
>start,
>along with maybe 25 to avoid false alarms from anti-spam
>countermeasures.
+1 that makes sense to me.
--
Sent from a mobile device.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk