[tor-relays] Oubound Ports

Tom van der Woerdt info at tvdw.eu
Fri Jul 11 16:04:53 UTC 2014 

Ryan Getz schreef op 11/07/14 16:19:
>
> On Fri, Jul 11, 2014, at 09:41 AM, Moritz Bartl wrote:
>> On 07/11/2014 11:33 AM, Roman Mamedov wrote:
>>> Agreed, but my point was that only a small minority of relays use port 22
>>> (checked, 27 of them - more than I expected) or port 53 (just three relays),
>>> so it may be a sacrifice that's worth making, in order to avoid losing the
>>> ability to run Tor altogether due to being kicked out by your ISP.
>>
>> I don't see the point in blocking arbitrary outgoing ports for an
>> application that is not going to make any connections other than relay
>> connections. The danger of Tor misbehaving on port 22 or port 53 is the
>> same as on any other port.
>>
>>> Some time ago I proposed that Tor flags some ports as being unacceptable as
>>> ORPort[1], but this did not gather much of a momentum.
>>
>> A port is a number. None of them is special. I really don't see any
>> reason to discriminate any.
>>
>> --
>> Moritz Bartl
>> https://www.torservers.net/
>
> I agree but it depends on the service provider. I've just recently begun
> running some relays and while one provider confirmed I could run a
> non-exit relay on their network, I was later flagged as abusive for too
> many outgoing connections on port 22. Their network monitoring software
> tripped the alert as possible SSH scan / exit relay activity. After a
> few days of working with them, the issue is finally resolved as they now
> understand it was not malicious and I am not operating an exit.
>
> While I still don't fully understand why my server connects over port 22
> to some servers listed with the OR port of 443, I clearly have more to
> learn about Tor functionality. Regardless, many providers monitor
> proactively for malicious traffic patterns. Many outgoing connections on
> port 22 appear as SSH scans/brute forcing to a provider. 25 often appear
> as spam and 53 as DNS reflection attacks.
>
> I've worked with many providers that do not provide good support and
> will instantly suspend/terminate your service when they detect these
> traffic patterns. Some allow you to resume service after justification
> and the worst ones never resume your service or allow justification.
> While these are not providers that I'd recommend using when network
> diversity is important and more new users attempt to contribute to the
> network, this does cause additional obstacles when using some providers
> for hosting a relay. A port is a port but using ports 22, 25 and 53 in
> particular are definitely going to cause headaches for a subset of
> contributors.
>
> Regards,
> Ryan

This raises an interesting question: going forward, do we want to keep 
requiring all relays to be able to reach every other relay?

I run a small relay at home (10mbit-ish) and my ISP blocks all outgoing 
traffic to port 25 (smtp). The moment someone starts running a relay on 
this port, my relay will no longer be able to reach all other relays. 
This would mean I should stop running a relay, which is (imo) worse for 
the network.

In the near future it seems more likely that networks will get more 
closed than more open, and more and more relays will face restrictions 
imposed by governments or ISPs. What about relays in China? Relays there 
may be able to reach only 50% of the network. With smart algorithms this 
can be advantageous as these relays have a higher chance of being able 
to serve people from these countries, while being able to escape the 
Great Firewall.

I imagine a Chinese user connecting to a Chinese bridge which connects 
to a relay outside of the country, etc. This bridge may not be able to 
connect to every other relay, but if it properly advertises what it can 
reach that's fine. Of course this would allow an attacker to steer 
traffic, so a client may want to establish a slightly longer circuit and 
avoid going through more than X of these special hops.

Having relays in places that are hard to reach allows people nearby to 
connect more easily to the network. Not doing so means we cannot support 
relays in countries with government-applied internet restrictions.

It would be nice to see some discussion on this topic. Do we really want 
to stop people from donating bandwidth just because, simply put, they're 
from China?

Tom

PS: China is obviously just an example here - the same could apply to 
the USA.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3729 bytes
Desc: S/MIME-cryptografische ondertekening
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140711/87540846/attachment.bin>

More information about the tor-relays mailing list