On Wed, 9 Mar 2011 19:18:34 -0500 cmeclax-sazri <cmeclax-sazri@ixazon.dynip.com> wrote:

On Wednesday 09 March 2011 17:20:17 Chris Palmer wrote:

...

On 03/09/2011 01:48 PM, Arjan wrote:

...

...

We are saying hello on port 443, and then saying goodbye. Once. Using normal TCP and TLS handshaking, no tricks. For the good of the internet.

That would be enough to get me in trouble with my ISP for performing portscans (if I were running an exit node).

And how would you, or anyone else, differentiate that from normal web browsing?

If a lot of those connection attempts are going to IP addresses with no host present, or hosts not running a webserver, it looks like portscanning. If almost all of the connection attempts are to webservers that have port 443 open, it looks like normal https web browsing.

Are you kidding? Closing a connection upon receipt of the ACK response to the SYN you sent looks like normal HTTPS web browsing? On what planet? Normal web browsing, whether HTTP or HTTPS, involves data transmission occurring in both directions between receipt of that ACK and the closing of the connection by the web browser. Closing the connection upon receipt of the ACK response to the SYN without any intervening data transmission is, OTOH, a characteristic behavior of port scanners. So you had it backwards. Here's a tidbit for you to consider. pf offers an option on filtering rules for inbound SSL connections called "synproxy", which relieves server software of the effort of dealing with bogus connection attempts by handling the SSL exchanges itself before passing the connection on to the server. It also means that a connection from something that doesn't know how to perform the SSL handshaking will sit until the timeout occurs, so the attacker is stuck with an outstanding connection tying up resources until that happens. That delay of a couple of minutes can be a long and wasteful nuisance to an attacker. OTOH, a legitimate application, e.g., a tor client or relay trying to connect to the ORPort of another relay, completes the handshake and begins communicating with its peer with no delay, and the software accepting the connection only deals with the legitimate connections. It works just great! :-) I highly recommend it to anyone running a tor relay on a system that supports pf.

I have only one external address and only a few ports forwarded, so I can't detect portscans. I have noticed that an attempt to guess passwords on SSH is often, but not always, preceded by a connect and disconnect from the same IP address, which is probably part of a portscan. I don't block addresses that scan ports, but I do block addresses that try to guess passwords (not on the Tor box, just on the other one). The block expires in a day.

To each his/her own. Legitimate port scanning operations are typically run by system/network administrators against the machines on their *own networks*. I treat any others as attackers or at least attacker-wannabes, and I keep track of such miscreants indefinitely against the possibility that I might someday provide services other than tor relaying. The miscreants will have no access to such services on general principles and will only have access to the tor node if and when they are currently running a public (i.e., not a bridge) tor node on the system with the IP address from which their tor attempts to connect to mine. Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************