[tor-relays] Oubound Ports

Greg Moss gmoss82 at gmail.com
Sat Jul 12 00:59:51 UTC 2014 

Alright - traffic is picking up a little after 24 hour. Netfow is showing a
bunch of outbound SSH connections but for some reason cant see it in the
syslog  going out. Added ACL for outbound SSH and will watch.  Not sure WTF
all the SSH traffic is all about.

gm

-----Original Message-----
From: tor-relays [mailto:tor-relays-bounces at lists.torproject.org] On Behalf
Of Tom van der Woerdt
Sent: Friday, July 11, 2014 9:05 AM
To: tor-relays at lists.torproject.org
Subject: Re: [tor-relays] Oubound Ports

Ryan Getz schreef op 11/07/14 16:19:
>
> On Fri, Jul 11, 2014, at 09:41 AM, Moritz Bartl wrote:
>> On 07/11/2014 11:33 AM, Roman Mamedov wrote:
>>> Agreed, but my point was that only a small minority of relays use 
>>> port 22 (checked, 27 of them - more than I expected) or port 53 
>>> (just three relays), so it may be a sacrifice that's worth making, 
>>> in order to avoid losing the ability to run Tor altogether due to being
kicked out by your ISP.
>>
>> I don't see the point in blocking arbitrary outgoing ports for an 
>> application that is not going to make any connections other than 
>> relay connections. The danger of Tor misbehaving on port 22 or port 
>> 53 is the same as on any other port.
>>
>>> Some time ago I proposed that Tor flags some ports as being 
>>> unacceptable as ORPort[1], but this did not gather much of a momentum.
>>
>> A port is a number. None of them is special. I really don't see any 
>> reason to discriminate any.
>>
>> --
>> Moritz Bartl
>> https://www.torservers.net/
>
> I agree but it depends on the service provider. I've just recently 
> begun running some relays and while one provider confirmed I could run 
> a non-exit relay on their network, I was later flagged as abusive for 
> too many outgoing connections on port 22. Their network monitoring 
> software tripped the alert as possible SSH scan / exit relay activity. 
> After a few days of working with them, the issue is finally resolved 
> as they now understand it was not malicious and I am not operating an
exit.
>
> While I still don't fully understand why my server connects over port 
> 22 to some servers listed with the OR port of 443, I clearly have more 
> to learn about Tor functionality. Regardless, many providers monitor 
> proactively for malicious traffic patterns. Many outgoing connections 
> on port 22 appear as SSH scans/brute forcing to a provider. 25 often 
> appear as spam and 53 as DNS reflection attacks.
>
> I've worked with many providers that do not provide good support and 
> will instantly suspend/terminate your service when they detect these 
> traffic patterns. Some allow you to resume service after justification 
> and the worst ones never resume your service or allow justification.
> While these are not providers that I'd recommend using when network 
> diversity is important and more new users attempt to contribute to the 
> network, this does cause additional obstacles when using some 
> providers for hosting a relay. A port is a port but using ports 22, 25 
> and 53 in particular are definitely going to cause headaches for a 
> subset of contributors.
>
> Regards,
> Ryan

This raises an interesting question: going forward, do we want to keep
requiring all relays to be able to reach every other relay?

I run a small relay at home (10mbit-ish) and my ISP blocks all outgoing
traffic to port 25 (smtp). The moment someone starts running a relay on this
port, my relay will no longer be able to reach all other relays. 
This would mean I should stop running a relay, which is (imo) worse for the
network.

In the near future it seems more likely that networks will get more closed
than more open, and more and more relays will face restrictions imposed by
governments or ISPs. What about relays in China? Relays there may be able to
reach only 50% of the network. With smart algorithms this can be
advantageous as these relays have a higher chance of being able to serve
people from these countries, while being able to escape the Great Firewall.

I imagine a Chinese user connecting to a Chinese bridge which connects to a
relay outside of the country, etc. This bridge may not be able to connect to
every other relay, but if it properly advertises what it can reach that's
fine. Of course this would allow an attacker to steer traffic, so a client
may want to establish a slightly longer circuit and avoid going through more
than X of these special hops.

Having relays in places that are hard to reach allows people nearby to
connect more easily to the network. Not doing so means we cannot support
relays in countries with government-applied internet restrictions.

It would be nice to see some discussion on this topic. Do we really want to
stop people from donating bandwidth just because, simply put, they're from
China?

Tom

PS: China is obviously just an example here - the same could apply to the
USA.

More information about the tor-relays mailing list