eliminating bogus port 43 exits

Kyle Williams kyle.kwilliams at gmail.com
Fri Jun 12 07:44:19 UTC 2009 

Hi Scott,

Got a couple of questions.

- Have you looked deeper into the request for port 43, using tcpdump or
Wireshark?
- Do you KNOW that it is a WHOIS request, not OpenVPN or something else
running on the WHOIS port?
- Have you logged what IP's are being connected to?

I just curious, as this seems to be really odd to me that so many WHOIS
request are going through Tor.
I'm almost curious enough to run a exit node now just to see what might be
going on.

- Kyle


On Fri, Jun 12, 2009 at 12:29 AM, Scott Bennett <bennett at cs.niu.edu> wrote:

>     A bit over a month ago, I posted here some exit statistics by port
> number.
> One major oddity among them was the count of port 43 (whois) exits, which
> seemed extraordinarily large, especially in relation to the counts for
> other,
> more expectedly popular port numbers.  Some of the comments I got in
> response
> gave me an idea.  In the what follows here, keep in mind that the second
> most
> frequently occurring exit port number in the statistics previously reported
> was 443 (https), and that the count of port 43 exits was in the millions
> when
> the count of port 443 exits was several hundred thousand.  It is important
> to
> note that my node's exit policy regarding port 80 (http) is highly
> restrictive,
> resulting in very low exit counts for that port.  Keeping that in mind, the
> exit counts for almost all other ports were not and are not similarly
> restricted.
>     I replaced the "ExitPolicy accept *:43" in my torrc file with the
> following:
>
> ###---Limited list of allowed whois exit addresses
> ExitPolicy accept 192.103.19.12:43      # whois access to whois.6bone.net
> ExitPolicy accept 192.149.252.44:43     # whois access to whois.arin.net
> ExitPolicy accept 193.0.0.135:43        # whois access to whois.ripe.net
> ExitPolicy accept 194.85.119.77:43      # whois access to whois.ripn.net
> ExitPolicy accept 196.216.2.1:43        # whois access to
> whois.afrinic.net
> ExitPolicy accept 198.108.0.18:43       # whois access to
> whois.ra{,db}.net
> ExitPolicy accept 199.7.51.74:43        # whois access to whois.crsnic.net
> ExitPolicy accept 199.7.55.74:43        # whois access to
> whois.internic.net
> ExitPolicy accept 199.43.0.144:43       # whois access to whois.arin.net
> ExitPolicy accept 200.160.2.3:43        # whois access to
> whois.registro.br
> ExitPolicy accept 200.160.2.15:43       # whois access to whois.lacnic.net
> ExitPolicy accept 202.12.29.13:43       # whois access to whois.apnic.net
> ExitPolicy accept 202.30.50.120:43      # whois access to whois.krnic.net
> ExitPolicy accept 205.178.188.12:43     # whois access to
> whois.networksolutions.com
> ExitPolicy accept 206.51.224.229:43     # whois access to whois.nic.gov
> ExitPolicy accept 208.77.188.18:43      # whois access to whois.icann.org
> ExitPolicy accept 208.77.188.87:43      # whois access to whois.iana.org
> ExitPolicy reject *:43          # nicname whois
> ###---End of whois exit policy specifications
>
>     The relationship now between the exit counts for ports 43 and 443 in
> the
> last few days since I switched to 0.2.1.15-rc with Nick's patch applied
> looks
> like this:
>
>  439 Exit to port 43
> 72052 Exit to port 443
>
> In other words, by restricting just port 43 exits to only the legitimate
> whois
> IP addresses, I eliminated at least 70% of *all* exits through my tor node,
> which suggests to me that the vast, overwhelming majority of exits from the
> tor network are illegitimate and place a terribly taxing load upon the tor
> network as a whole.  This apparent fact, in turn, suggests that if a) all
> tor nodes with an explicit exit policy were to restrict port 443 exits to
> just the legitimate port 43 IP addresses and b) the tor default exit policy
> did the same, a huge and illegitimate load would be lifted from the tor
> network
> overall.  If no relays offer exits to port 43 that don't go to the NICs'
> whois
> servers, well over half of all tor exits, which are illegitimate and
> undeserving of service in the first place, will be eliminated (not counting
> typical port 80 (http) traffic, of course).
>     Because my node's exit policy for port 80 (http) is not wide open, it
> is
> hard for me to estimate the relative importance of bogus port 43 requests
> w.r.t. legitimate port 80 (http) requests.  Because of my node's limited
> port
> 80 exit policy, I would be *very* interested in seeing exit counts for
> nodes
> with unrestricted exit policies for the combination of ports 43, 80, and
> 443
> in order to get a better idea of their relative importances.
>     Nevertheless, the impact of eliminating those exit opportunities can be
> expected to be quite significant in terms of performance of the network
> overall, particularly because circuits will not need to be built in the
> first
> place for such requests.  If even a few relays continue to offer
> unrestricted
> exits for port 43, they will get so badly hammered by all the bogus exit
> requests that they will cease to be important to normal operations of the
> tor
> network until such time as they may modify their exit policies to be more
> in
> tune with valid use of the tor network, rather than use by some sort of
> port
> scanner or whatever junk software is currently consuming so much of the tor
> network's resources, except to the extent that such non-conforming nodes
> would
> be incurring the cost of the circuits to reach them for the exit service.
>     Please note also that changing the default exit policy and most tor
> node's
> explicit exit policies to the above specification would not prevent tor
> exit
> node operators from adding other legitimate whois servers' IP addresses to
> their exit policies.
>     Therefore, I encourage all tor exit node operators to make the above
> described change to the exit policies of their exit nodes.  (Feel free to
> copy
> and paste.)  I further suggest that the default exit policy for tor be
> modified
> in all future releases of both the stable and development branches of tor
> to
> have the exit policy for port 43 shown above, as modified from time to time
> as
> the NICs' whois server addresses may change.
>     Comments are both welcome and encouraged.
>
>
>                                  Scott Bennett, Comm. ASMELG, CFIAG
> **********************************************************************
> * Internet:       bennett at cs.niu.edu                              *
> *--------------------------------------------------------------------*
> * "A well regulated and disciplined militia, is at all times a good  *
> * objection to the introduction of that bane of all free governments *
> * -- a standing army."                                               *
> *    -- Gov. John Hancock, New York Journal, 28 January 1790         *
> **********************************************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090612/aec4443a/attachment-0001.htm>

More information about the tor-talk mailing list