[tor-relays] Network Scan through Tor Exit Node (Port 80)

Mitar mmitar at gmail.com
Wed Mar 2 13:04:01 UTC 2011


Hi!

On Tue, Mar 1, 2011 at 7:09 AM, Chris Palmer <chris at eff.org> wrote:
> For example, the SSL Observatory does a "scan" that is very similar to what happens when a
> user clicks a link and then immediately clicks the Stop button in the browser: SYN, SYN/ACK,
> ACK, Client Hello, Server Hello + Certificate, goodbye. We do this once per IP every few months.
> Out of 4 billion IP addresses, we got one complaint that I know of.

Interesting. We were doing the very same thing (opening only 80 and
443 ports to check for certificates) just few weeks ago over whole IP
space and got a few complaints: from ATT, usu.edu and usi.com.

Maybe the difference was in speed of scanning? We randomized order of
scanning but still some networks detected us as scanning their whole
ranges.

And what is even more interesting is that our ISP was much more eager
for us to reply to those complaints than to complaints for us running
a Tor exit node some time ago. At that time they didn't even require
from us to respond. They just forwarded us e-mails in a FYI manner.
Maybe they changed some policies in meantime.


Mitar


More information about the tor-relays mailing list