reconsidering default exit policy
Richard Johnson
rdump at river.com
Mon Aug 29 15:05:33 UTC 2005
At 21:15 -0500 on 2005-08-28, Arrakis Tor wrote:
> You could remote control a trojan through any port which was
> compromised on the host, I would think.
I think you're looking at the streams the wrong direction there. Because
typical firewalls block inbound connections while allowing outbound,
shellcode, PHP exploits, etc. are often used to download IRC bots, which
then connect out to public IRC servers on standard IRC ports and await
commands.
Using non-standard IRC ports (and non-IRC protocols) for such traffic has a
benefit and a few drawbacks. The benefit is that trivial IRC watchers
won't easily detect it. The drawbacks are that the server network isn't
going to be extensive (likely not more than one machine), leading to
throughput problems, and that it'll be disabled once discovered.
Of course, bots won't generally use tor nodes for their IRC connections.
But the controllers of those bots often will try to use tor.
For that reason, it can make sense to refuse connections to default IRC
ports on IRC servers from your tor node. You may feel that IRC is one of
those protocols that, like SMTP and NNTP, is aggressively unauthenticated
and prone to abuse.
Richard
More information about the tor-talk
mailing list