eliminating bogus port 43 exits

Hans de Hartog dehartog at rootsr.com
Fri Jul 3 08:25:41 UTC 2009 

Hans de Hartog wrote:
> Scott Bennett wrote:
>>      Unfortunately, the above method is unlikely to see more than a tiny
>> fraction of the port 43 exits, which are usually of very short duration.
>>      Instead, try turning on info-level logging.  Then you can use 
>> something
>> like
>>
>> /usr/bin/fgrep connection_edge_finished_connecting 
>> /var/log/tor/info.log | \
>>  nice +14 /usr/bin/sed -e 's/connection_edge_finished_connecting(): 
>> Exit connection to \[scrubbed\]:/Exit to port /' -e 's/(\[scrubbed\]) 
>> //' -e 's/(.* established.//' -e 's/\ established.//' -e 's/ 1499//' | \
>>   nice +14 sort -n -g +7 -8 | uniq -c -f 7
>>
>> (Beware of linewrap in the line containing the /usr/bin/sed 
>> command.)  Note
>> that your paths, options to sort(1) and uniq(1), etc. may vary, 
>> depending
>> upon your operating system.  This example works properly for 
>> FreeBSD.  Also,
>> use of nice is obviously optional, but a good idea if you're sharing 
>> a system
>> with other users at the same time.  Output from the above looks like 
>> this:
>>
>>   39 Jun 14 03:19:02.223 [info] Exit to port 443
>>    1 Jun 14 03:16:21.795 [info] Exit to port 6001
>>    1 Jun 14 03:19:20.310 [info] Exit to port 6010
>>    1 Jun 14 03:16:24.275 [info] Exit to port 6666
>>
>> and so on, where the number at the lefthand side is the number of 
>> exits for
>> that port, and the date+timestamp is from the first occurrence in the 
>> log file
>> of an exit for that port.  You may wish to change the final form of 
>> the output
>> lines to suit your own taste.
>>      I think you'll find that scanning an info-level log file gives 
>> you a
>> very different result from looking at periodic samplings of 
>> netstat(1) output.
> As promised, here are the results of Scott's script
> 24 hours after switching on info logging:
>
> Sorted by port number (for ports < 1000)
>   11 Jun 14 12:05:48.178 [info] Exit to port 21
>    3 Jun 14 22:15:29.243 [info] Exit to port 22
>    1 Jun 15 05:12:38.435 [info] Exit to port 29
> 1191 Jun 14 11:51:28.925 [info] Exit to port 43
>    2 Jun 15 03:39:32.109 [info] Exit to port 53
>    1 Jun 14 12:54:54.073 [info] Exit to port 57
>    2 Jun 15 05:19:21.415 [info] Exit to port 64
> 24043 Jun 14 11:07:00.997 [info] Exit to port 80
>   25 Jun 14 12:37:02.716 [info] Exit to port 81
>    5 Jun 14 11:29:10.296 [info] Exit to port 82
>    2 Jun 14 16:34:00.878 [info] Exit to port 83
>    3 Jun 14 18:04:02.749 [info] Exit to port 84
>    5 Jun 14 11:16:10.207 [info] Exit to port 85
>    1 Jun 14 14:52:40.523 [info] Exit to port 86
>    4 Jun 14 13:41:44.467 [info] Exit to port 87
>    3 Jun 14 16:34:02.507 [info] Exit to port 89
>    1 Jun 15 04:44:09.560 [info] Exit to port 90
>    1 Jun 15 04:27:40.454 [info] Exit to port 91
>    1 Jun 14 23:32:00.738 [info] Exit to port 92
>    1 Jun 15 01:24:52.137 [info] Exit to port 95
>    1 Jun 14 16:12:14.378 [info] Exit to port 96
>    4 Jun 15 00:03:03.627 [info] Exit to port 98
>    4 Jun 14 16:08:53.067 [info] Exit to port 99
>    1 Jun 15 03:42:39.595 [info] Exit to port 101
>    2 Jun 14 14:00:35.252 [info] Exit to port 102
>    1 Jun 14 18:04:49.153 [info] Exit to port 104
>    1 Jun 14 11:38:37.984 [info] Exit to port 109
>   48 Jun 14 14:38:07.948 [info] Exit to port 110
>    6 Jun 14 15:22:22.942 [info] Exit to port 119
>  541 Jun 14 12:00:24.675 [info] Exit to port 187
>    1 Jun 14 21:36:46.609 [info] Exit to port 400
>    1 Jun 15 04:55:13.365 [info] Exit to port 411
>    1 Jun 14 19:16:05.586 [info] Exit to port 442
> 2193 Jun 14 11:43:03.144 [info] Exit to port 443
>    1 Jun 14 15:23:54.915 [info] Exit to port 462
>    1 Jun 15 01:09:02.965 [info] Exit to port 554
>    1 Jun 14 15:32:29.782 [info] Exit to port 623
>    1 Jun 15 00:03:11.737 [info] Exit to port 666
>    1 Jun 15 02:19:05.865 [info] Exit to port 800
>    2 Jun 14 12:22:13.641 [info] Exit to port 808
>    1 Jun 15 07:40:10.154 [info] Exit to port 809
>    1 Jun 15 08:43:43.371 [info] Exit to port 888
>   18 Jun 14 12:32:28.145 [info] Exit to port 995
> <snip>
>
> Reverse sorted by count
> 24043 Jun 14 11:07:00.997 [info] Exit to port 80
> 2193 Jun 14 11:43:03.144 [info] Exit to port 443
> 1191 Jun 14 11:51:28.925 [info] Exit to port 43
>  541 Jun 14 12:00:24.675 [info] Exit to port 187
>  464 Jun 14 11:26:03.550 [info] Exit to port 5001
>  173 Jun 14 11:16:51.925 [info] Exit to port 2710
>  165 Jun 14 11:12:34.809 [info] Exit to port 8080
>  121 Jun 14 11:34:26.406 [info] Exit to port 6667
>  119 Jun 14 11:26:27.558 [info] Exit to port 51413
>   94 Jun 14 11:54:26.254 [info] Exit to port 7000
>   89 Jun 14 11:24:18.469 [info] Exit to port 8000
>   78 Jun 14 23:48:17.454 [info] Exit to port 5004
>   62 Jun 14 13:36:26.436 [info] Exit to port 5050
>   48 Jun 14 14:38:07.948 [info] Exit to port 110
> <snip>
>
> Will blocking/restricting port 43 improve the performance
> of the tor-network? Or do we need more info (e.g. KBs/port/sec)?
>
> Hans de Hartog
>
>
>
After running my exit node for two weeks with info logging
switched on, my disk was getting full :-(
So I switched off info logging and ran the script again
(slightly changed to report percentages instead of counts)
and here are the results:
Port   percentage
 80          63.5
443          12.6
 43           2.6
187           1.0
All other ports less than 1%

Hans.

More information about the tor-talk mailing list