[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Problematic ORPorts

On 7 June 2014 10:14:20 GMT+01:00, Roman Mamedov <rm@xxxxxxxxxxx> wrote:
>Recently on this mailing list and on tor-relays there have been some
>when relay nodes using standard ports commonly used for other services
>their ORPort cause issues with ISPs of someone else running a relay.
>Notably once a relay on port 53 have triggered "high DNS traffic
>anomaly" IDS
>warning from the provider and almost(?) had the user's account
>terminated. DNS
>port 53 is commonly used for DNS reflection DDoS attacks, and
>apparently now
>ISPs have deployed measures to detect (and misdetect) these.
>In one more case a relay on port 22 had the user suspicious that an SSH
>brute-forcing may be going on.
>And finally an ISP has suspended a relay node VPS of someone I know on
>suspicion of "having been hacked"; there was no further information on
>basis of such suspicion, but thinking about it, it's entirely plausible
>many outgoing connections to port 22 could have been the trigger.
>Large amounts of traffic and a high count of open connections to these
>is now one (and perhaps the first) case when running a non-exit relay
>get you in trouble with your provider.
>So my idea is, maybe consider making directory authorities blacklist
>ports as being unacceptable as ORPorts, 22 and 53 come to mind for a
>along with maybe 25 to avoid false alarms from anti-spam

+1 that makes sense to me.

Sent from a mobile device. 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to