eliminating bogus port 43 exits
Scott Bennett
bennett at cs.niu.edu
Fri Jul 3 08:56:13 UTC 2009
On Fri, 03 Jul 2009 10:25:41 +0200 Hans de Hartog <dehartog at rootsr.com>
wrote:
>Hans de Hartog wrote:
>> Scott Bennett wrote:
>>> Unfortunately, the above method is unlikely to see more than a tiny
>>> fraction of the port 43 exits, which are usually of very short duration.
>>> Instead, try turning on info-level logging. Then you can use
>>> something
>>> like
>>>
>>> /usr/bin/fgrep connection_edge_finished_connecting
>>> /var/log/tor/info.log | \
>>> nice +14 /usr/bin/sed -e 's/connection_edge_finished_connecting():
>>> Exit connection to \[scrubbed\]:/Exit to port /' -e 's/(\[scrubbed\])
>>> //' -e 's/(.* established.//' -e 's/\ established.//' -e 's/ 1499//' | \
>>> nice +14 sort -n -g +7 -8 | uniq -c -f 7
>>>
>>> (Beware of linewrap in the line containing the /usr/bin/sed
>>> command.) Note
>>> that your paths, options to sort(1) and uniq(1), etc. may vary,
>>> depending
>>> upon your operating system. This example works properly for
>>> FreeBSD. Also,
>>> use of nice is obviously optional, but a good idea if you're sharing
>>> a system
>>> with other users at the same time. Output from the above looks like
>>> this:
>>>
>>> 39 Jun 14 03:19:02.223 [info] Exit to port 443
>>> 1 Jun 14 03:16:21.795 [info] Exit to port 6001
>>> 1 Jun 14 03:19:20.310 [info] Exit to port 6010
>>> 1 Jun 14 03:16:24.275 [info] Exit to port 6666
>>>
>>> and so on, where the number at the lefthand side is the number of
>>> exits for
>>> that port, and the date+timestamp is from the first occurrence in the
>>> log file
>>> of an exit for that port. You may wish to change the final form of
>>> the output
>>> lines to suit your own taste.
>>> I think you'll find that scanning an info-level log file gives
>>> you a
>>> very different result from looking at periodic samplings of
>>> netstat(1) output.
>> As promised, here are the results of Scott's script
>> 24 hours after switching on info logging:
>>
>> Sorted by port number (for ports < 1000)
>> 11 Jun 14 12:05:48.178 [info] Exit to port 21
>> 3 Jun 14 22:15:29.243 [info] Exit to port 22
>> 1 Jun 15 05:12:38.435 [info] Exit to port 29
>> 1191 Jun 14 11:51:28.925 [info] Exit to port 43
>> 2 Jun 15 03:39:32.109 [info] Exit to port 53
>> 1 Jun 14 12:54:54.073 [info] Exit to port 57
>> 2 Jun 15 05:19:21.415 [info] Exit to port 64
>> 24043 Jun 14 11:07:00.997 [info] Exit to port 80
>> 25 Jun 14 12:37:02.716 [info] Exit to port 81
>> 5 Jun 14 11:29:10.296 [info] Exit to port 82
>> 2 Jun 14 16:34:00.878 [info] Exit to port 83
>> 3 Jun 14 18:04:02.749 [info] Exit to port 84
>> 5 Jun 14 11:16:10.207 [info] Exit to port 85
>> 1 Jun 14 14:52:40.523 [info] Exit to port 86
>> 4 Jun 14 13:41:44.467 [info] Exit to port 87
>> 3 Jun 14 16:34:02.507 [info] Exit to port 89
>> 1 Jun 15 04:44:09.560 [info] Exit to port 90
>> 1 Jun 15 04:27:40.454 [info] Exit to port 91
>> 1 Jun 14 23:32:00.738 [info] Exit to port 92
>> 1 Jun 15 01:24:52.137 [info] Exit to port 95
>> 1 Jun 14 16:12:14.378 [info] Exit to port 96
>> 4 Jun 15 00:03:03.627 [info] Exit to port 98
>> 4 Jun 14 16:08:53.067 [info] Exit to port 99
>> 1 Jun 15 03:42:39.595 [info] Exit to port 101
>> 2 Jun 14 14:00:35.252 [info] Exit to port 102
>> 1 Jun 14 18:04:49.153 [info] Exit to port 104
>> 1 Jun 14 11:38:37.984 [info] Exit to port 109
>> 48 Jun 14 14:38:07.948 [info] Exit to port 110
>> 6 Jun 14 15:22:22.942 [info] Exit to port 119
>> 541 Jun 14 12:00:24.675 [info] Exit to port 187
>> 1 Jun 14 21:36:46.609 [info] Exit to port 400
>> 1 Jun 15 04:55:13.365 [info] Exit to port 411
>> 1 Jun 14 19:16:05.586 [info] Exit to port 442
>> 2193 Jun 14 11:43:03.144 [info] Exit to port 443
>> 1 Jun 14 15:23:54.915 [info] Exit to port 462
>> 1 Jun 15 01:09:02.965 [info] Exit to port 554
>> 1 Jun 14 15:32:29.782 [info] Exit to port 623
>> 1 Jun 15 00:03:11.737 [info] Exit to port 666
>> 1 Jun 15 02:19:05.865 [info] Exit to port 800
>> 2 Jun 14 12:22:13.641 [info] Exit to port 808
>> 1 Jun 15 07:40:10.154 [info] Exit to port 809
>> 1 Jun 15 08:43:43.371 [info] Exit to port 888
>> 18 Jun 14 12:32:28.145 [info] Exit to port 995
>> <snip>
>>
>> Reverse sorted by count
>> 24043 Jun 14 11:07:00.997 [info] Exit to port 80
>> 2193 Jun 14 11:43:03.144 [info] Exit to port 443
>> 1191 Jun 14 11:51:28.925 [info] Exit to port 43
>> 541 Jun 14 12:00:24.675 [info] Exit to port 187
>> 464 Jun 14 11:26:03.550 [info] Exit to port 5001
>> 173 Jun 14 11:16:51.925 [info] Exit to port 2710
>> 165 Jun 14 11:12:34.809 [info] Exit to port 8080
>> 121 Jun 14 11:34:26.406 [info] Exit to port 6667
>> 119 Jun 14 11:26:27.558 [info] Exit to port 51413
>> 94 Jun 14 11:54:26.254 [info] Exit to port 7000
>> 89 Jun 14 11:24:18.469 [info] Exit to port 8000
>> 78 Jun 14 23:48:17.454 [info] Exit to port 5004
>> 62 Jun 14 13:36:26.436 [info] Exit to port 5050
>> 48 Jun 14 14:38:07.948 [info] Exit to port 110
>> <snip>
>>
>> Will blocking/restricting port 43 improve the performance
>> of the tor-network? Or do we need more info (e.g. KBs/port/sec)?
>>
>> Hans de Hartog
>>
>>
>>
>After running my exit node for two weeks with info logging
>switched on, my disk was getting full :-(
>So I switched off info logging and ran the script again
>(slightly changed to report percentages instead of counts)
>and here are the results:
>Port percentage
> 80 63.5
>443 12.6
> 43 2.6
>187 1.0
>All other ports less than 1%
>
Hnh. That's interesting, even bizarre. Maybe something has changed.
I guess I can try reopening port 43 and see what happens. When I had it
wide open before, it soon exceeded the port 443 counts. After a month or
more, the port 43 count was usually several times as high as the port 443
count.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
More information about the tor-talk
mailing list