exit counts by port number over 61 days

Tripple Moon tripple.moon at yahoo.com
Fri Apr 17 01:00:05 UTC 2009


--- On Thu, 4/16/09, Scott Bennett <bennett at cs.niu.edu> wrote:
> >There are plenty of other ports to do this on, though -
> >many of them far more common than 1080 (and SOCKS) nowadays.
> >
>      Right.  I think I'll hold off a bit longer to see
> what other comments
> people may make here before I close that port.
>      BTW, I am still very interested in reading any
> comments people may have
> regarding patterns or anything else they notice in the exit
> counts that I posted here.
> I looked for the most obvious stuff, but there may be other
> weirder stuff going on involving port numbers that had
> fewer, yet still significant numbers of, exits.
My guess is that this wide range of used ports is caused by port scanners.
The reason, IMHO, that they have seemingly different (read random) usage counts is because the tor-network chooses exit points on its own, and thus some probes, from same origin, are being directed at other exit-points rather than all to yours.
These port probes/scans don't all have to be necessarily ill-minded, because some users might as well have done probes to their own machines to check for security.
You might get better decision making arguments for your self if you could correlate the port usage with client requests.
That way you could see if they are indeed port-range probes.
Normally you would log IP#'s, but with the tor-network as origin that kind-of is out of the question.
Im not sure if you can somehow intercept the tor-client-ID, or whatever it's called that's unique, that originated the connection.
IMHO, it's rather a bad decision to allow _all_ ports to be used for exit.
A better one would be, again IMHO, open a list of ports used by "normal-use of the tor-network", and block the rest.
By "normal-use of the tor-network" i mean: The software that people, who use this network with non-ill intentions, use.
Or if you reverse the idea, you get: The software that people with ill-intentions would most likely use. (and block those ports)
For me personally the ports that all exit-points should allow is (IMHO):
Web (80,443), Pop3 (*), NNTP (*), DNS (53), Torrent (default 6881), FTP (20/21).
(*) These are gray-area IMHO because they are more likely used for "ill" as "non-ill" -behavior over the tor-network intentions.
Example why i dont list other ports like telnet:
If a user uses telnet to connect to some machine, his/her identity is normally known on that machine otherwise that user would not have a telnet account, thus eliminating the need to connect using the tor-network.
When you apply that logic to any port you want to open/close, you will come to good reasons why to open or close it.

(Whoa sometimes i have to restrain myself when thinking aloud in text)

Anyway gl.


      



More information about the tor-talk mailing list