[tor-relays] Network Scan through Tor Exit Node (Port 80)
cmeclax-sazri
cmeclax-sazri at ixazon.dynip.com
Thu Mar 10 00:18:34 UTC 2011
On Wednesday 09 March 2011 17:20:17 Chris Palmer wrote:
> On 03/09/2011 01:48 PM, Arjan wrote:
> >> We are saying hello on port 443, and then saying goodbye. Once. Using
> >> normal TCP and TLS handshaking, no tricks. For the good of the internet.
> >
> > That would be enough to get me in trouble with my ISP for performing
> > portscans (if I were running an exit node).
>
> And how would you, or anyone else, differentiate that from normal web
> browsing?
If a lot of those connection attempts are going to IP addresses with no host
present, or hosts not running a webserver, it looks like portscanning. If
almost all of the connection attempts are to webservers that have port 443
open, it looks like normal https web browsing.
I have only one external address and only a few ports forwarded, so I can't
detect portscans. I have noticed that an attempt to guess passwords on SSH is
often, but not always, preceded by a connect and disconnect from the same IP
address, which is probably part of a portscan. I don't block addresses that
scan ports, but I do block addresses that try to guess passwords (not on the
Tor box, just on the other one). The block expires in a day.
cmeclax
cmeclax
More information about the tor-relays
mailing list