eliminating bogus port 43 exits
kyle.kwilliams at gmail.com
Fri Jun 12 07:44:19 UTC 2009
Got a couple of questions.
- Have you looked deeper into the request for port 43, using tcpdump or
- Do you KNOW that it is a WHOIS request, not OpenVPN or something else
running on the WHOIS port?
- Have you logged what IP's are being connected to?
I just curious, as this seems to be really odd to me that so many WHOIS
request are going through Tor.
I'm almost curious enough to run a exit node now just to see what might be
On Fri, Jun 12, 2009 at 12:29 AM, Scott Bennett <bennett at cs.niu.edu> wrote:
> A bit over a month ago, I posted here some exit statistics by port
> One major oddity among them was the count of port 43 (whois) exits, which
> seemed extraordinarily large, especially in relation to the counts for
> more expectedly popular port numbers. Some of the comments I got in
> gave me an idea. In the what follows here, keep in mind that the second
> frequently occurring exit port number in the statistics previously reported
> was 443 (https), and that the count of port 43 exits was in the millions
> the count of port 443 exits was several hundred thousand. It is important
> note that my node's exit policy regarding port 80 (http) is highly
> resulting in very low exit counts for that port. Keeping that in mind, the
> exit counts for almost all other ports were not and are not similarly
> I replaced the "ExitPolicy accept *:43" in my torrc file with the
> ###---Limited list of allowed whois exit addresses
> ExitPolicy accept 18.104.22.168:43 # whois access to whois.6bone.net
> ExitPolicy accept 22.214.171.124:43 # whois access to whois.arin.net
> ExitPolicy accept 126.96.36.199:43 # whois access to whois.ripe.net
> ExitPolicy accept 188.8.131.52:43 # whois access to whois.ripn.net
> ExitPolicy accept 184.108.40.206:43 # whois access to
> ExitPolicy accept 220.127.116.11:43 # whois access to
> ExitPolicy accept 18.104.22.168:43 # whois access to whois.crsnic.net
> ExitPolicy accept 22.214.171.124:43 # whois access to
> ExitPolicy accept 126.96.36.199:43 # whois access to whois.arin.net
> ExitPolicy accept 188.8.131.52:43 # whois access to
> ExitPolicy accept 184.108.40.206:43 # whois access to whois.lacnic.net
> ExitPolicy accept 220.127.116.11:43 # whois access to whois.apnic.net
> ExitPolicy accept 18.104.22.168:43 # whois access to whois.krnic.net
> ExitPolicy accept 22.214.171.124:43 # whois access to
> ExitPolicy accept 126.96.36.199:43 # whois access to whois.nic.gov
> ExitPolicy accept 188.8.131.52:43 # whois access to whois.icann.org
> ExitPolicy accept 184.108.40.206:43 # whois access to whois.iana.org
> ExitPolicy reject *:43 # nicname whois
> ###---End of whois exit policy specifications
> The relationship now between the exit counts for ports 43 and 443 in
> last few days since I switched to 0.2.1.15-rc with Nick's patch applied
> like this:
> 439 Exit to port 43
> 72052 Exit to port 443
> In other words, by restricting just port 43 exits to only the legitimate
> IP addresses, I eliminated at least 70% of *all* exits through my tor node,
> which suggests to me that the vast, overwhelming majority of exits from the
> tor network are illegitimate and place a terribly taxing load upon the tor
> network as a whole. This apparent fact, in turn, suggests that if a) all
> tor nodes with an explicit exit policy were to restrict port 443 exits to
> just the legitimate port 43 IP addresses and b) the tor default exit policy
> did the same, a huge and illegitimate load would be lifted from the tor
> overall. If no relays offer exits to port 43 that don't go to the NICs'
> servers, well over half of all tor exits, which are illegitimate and
> undeserving of service in the first place, will be eliminated (not counting
> typical port 80 (http) traffic, of course).
> Because my node's exit policy for port 80 (http) is not wide open, it
> hard for me to estimate the relative importance of bogus port 43 requests
> w.r.t. legitimate port 80 (http) requests. Because of my node's limited
> 80 exit policy, I would be *very* interested in seeing exit counts for
> with unrestricted exit policies for the combination of ports 43, 80, and
> in order to get a better idea of their relative importances.
> Nevertheless, the impact of eliminating those exit opportunities can be
> expected to be quite significant in terms of performance of the network
> overall, particularly because circuits will not need to be built in the
> place for such requests. If even a few relays continue to offer
> exits for port 43, they will get so badly hammered by all the bogus exit
> requests that they will cease to be important to normal operations of the
> network until such time as they may modify their exit policies to be more
> tune with valid use of the tor network, rather than use by some sort of
> scanner or whatever junk software is currently consuming so much of the tor
> network's resources, except to the extent that such non-conforming nodes
> be incurring the cost of the circuits to reach them for the exit service.
> Please note also that changing the default exit policy and most tor
> explicit exit policies to the above specification would not prevent tor
> node operators from adding other legitimate whois servers' IP addresses to
> their exit policies.
> Therefore, I encourage all tor exit node operators to make the above
> described change to the exit policies of their exit nodes. (Feel free to
> and paste.) I further suggest that the default exit policy for tor be
> in all future releases of both the stable and development branches of tor
> have the exit policy for port 43 shown above, as modified from time to time
> the NICs' whois server addresses may change.
> Comments are both welcome and encouraged.
> Scott Bennett, Comm. ASMELG, CFIAG
> * Internet: bennett at cs.niu.edu *
> * "A well regulated and disciplined militia, is at all times a good *
> * objection to the introduction of that bane of all free governments *
> * -- a standing army." *
> * -- Gov. John Hancock, New York Journal, 28 January 1790 *
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tor-talk