Alright - traffic is picking up a little after 24 hour. Netfow is showing a bunch of outbound SSH connections but for some reason cant see it in the syslog going out. Added ACL for outbound SSH and will watch. Not sure WTF all the SSH traffic is all about.
gm
-----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of Tom van der Woerdt Sent: Friday, July 11, 2014 9:05 AM To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] Oubound Ports
Ryan Getz schreef op 11/07/14 16:19:
On Fri, Jul 11, 2014, at 09:41 AM, Moritz Bartl wrote:
On 07/11/2014 11:33 AM, Roman Mamedov wrote:
Agreed, but my point was that only a small minority of relays use port 22 (checked, 27 of them - more than I expected) or port 53 (just three relays), so it may be a sacrifice that's worth making, in order to avoid losing the ability to run Tor altogether due to being
kicked out by your ISP.
I don't see the point in blocking arbitrary outgoing ports for an application that is not going to make any connections other than relay connections. The danger of Tor misbehaving on port 22 or port 53 is the same as on any other port.
Some time ago I proposed that Tor flags some ports as being unacceptable as ORPort[1], but this did not gather much of a momentum.
A port is a number. None of them is special. I really don't see any reason to discriminate any.
-- Moritz Bartl https://www.torservers.net/
I agree but it depends on the service provider. I've just recently begun running some relays and while one provider confirmed I could run a non-exit relay on their network, I was later flagged as abusive for too many outgoing connections on port 22. Their network monitoring software tripped the alert as possible SSH scan / exit relay activity. After a few days of working with them, the issue is finally resolved as they now understand it was not malicious and I am not operating an
exit.
While I still don't fully understand why my server connects over port 22 to some servers listed with the OR port of 443, I clearly have more to learn about Tor functionality. Regardless, many providers monitor proactively for malicious traffic patterns. Many outgoing connections on port 22 appear as SSH scans/brute forcing to a provider. 25 often appear as spam and 53 as DNS reflection attacks.
I've worked with many providers that do not provide good support and will instantly suspend/terminate your service when they detect these traffic patterns. Some allow you to resume service after justification and the worst ones never resume your service or allow justification. While these are not providers that I'd recommend using when network diversity is important and more new users attempt to contribute to the network, this does cause additional obstacles when using some providers for hosting a relay. A port is a port but using ports 22, 25 and 53 in particular are definitely going to cause headaches for a subset of contributors.
Regards, Ryan
This raises an interesting question: going forward, do we want to keep requiring all relays to be able to reach every other relay?
I run a small relay at home (10mbit-ish) and my ISP blocks all outgoing traffic to port 25 (smtp). The moment someone starts running a relay on this port, my relay will no longer be able to reach all other relays. This would mean I should stop running a relay, which is (imo) worse for the network.
In the near future it seems more likely that networks will get more closed than more open, and more and more relays will face restrictions imposed by governments or ISPs. What about relays in China? Relays there may be able to reach only 50% of the network. With smart algorithms this can be advantageous as these relays have a higher chance of being able to serve people from these countries, while being able to escape the Great Firewall.
I imagine a Chinese user connecting to a Chinese bridge which connects to a relay outside of the country, etc. This bridge may not be able to connect to every other relay, but if it properly advertises what it can reach that's fine. Of course this would allow an attacker to steer traffic, so a client may want to establish a slightly longer circuit and avoid going through more than X of these special hops.
Having relays in places that are hard to reach allows people nearby to connect more easily to the network. Not doing so means we cannot support relays in countries with government-applied internet restrictions.
It would be nice to see some discussion on this topic. Do we really want to stop people from donating bandwidth just because, simply put, they're from China?
Tom
PS: China is obviously just an example here - the same could apply to the USA.