On Wednesday 09 March 2011 17:20:17 Chris Palmer wrote:
On 03/09/2011 01:48 PM, Arjan wrote:
We are saying hello on port 443, and then saying goodbye. Once. Using normal TCP and TLS handshaking, no tricks. For the good of the internet.
That would be enough to get me in trouble with my ISP for performing portscans (if I were running an exit node).
And how would you, or anyone else, differentiate that from normal web browsing?
If a lot of those connection attempts are going to IP addresses with no host present, or hosts not running a webserver, it looks like portscanning. If almost all of the connection attempts are to webservers that have port 443 open, it looks like normal https web browsing.
I have only one external address and only a few ports forwarded, so I can't detect portscans. I have noticed that an attempt to guess passwords on SSH is often, but not always, preceded by a connect and disconnect from the same IP address, which is probably part of a portscan. I don't block addresses that scan ports, but I do block addresses that try to guess passwords (not on the Tor box, just on the other one). The block expires in a day.
cmeclax
cmeclax