eliminating bogus port 43 exits

Kyle Williams kyle.kwilliams at gmail.com
Fri Jun 12 07:44:19 UTC 2009

Hi Scott,

Got a couple of questions.

- Have you looked deeper into the request for port 43, using tcpdump or
- Do you KNOW that it is a WHOIS request, not OpenVPN or something else
running on the WHOIS port?
- Have you logged what IP's are being connected to?

I just curious, as this seems to be really odd to me that so many WHOIS
request are going through Tor.
I'm almost curious enough to run a exit node now just to see what might be
going on.

- Kyle

On Fri, Jun 12, 2009 at 12:29 AM, Scott Bennett <bennett at cs.niu.edu> wrote:

>     A bit over a month ago, I posted here some exit statistics by port
> number.
> One major oddity among them was the count of port 43 (whois) exits, which
> seemed extraordinarily large, especially in relation to the counts for
> other,
> more expectedly popular port numbers.  Some of the comments I got in
> response
> gave me an idea.  In the what follows here, keep in mind that the second
> most
> frequently occurring exit port number in the statistics previously reported
> was 443 (https), and that the count of port 43 exits was in the millions
> when
> the count of port 443 exits was several hundred thousand.  It is important
> to
> note that my node's exit policy regarding port 80 (http) is highly
> restrictive,
> resulting in very low exit counts for that port.  Keeping that in mind, the
> exit counts for almost all other ports were not and are not similarly
> restricted.
>     I replaced the "ExitPolicy accept *:43" in my torrc file with the
> following:
> ###---Limited list of allowed whois exit addresses
> ExitPolicy accept      # whois access to whois.6bone.net
> ExitPolicy accept     # whois access to whois.arin.net
> ExitPolicy accept        # whois access to whois.ripe.net
> ExitPolicy accept      # whois access to whois.ripn.net
> ExitPolicy accept        # whois access to
> whois.afrinic.net
> ExitPolicy accept       # whois access to
> whois.ra{,db}.net
> ExitPolicy accept        # whois access to whois.crsnic.net
> ExitPolicy accept        # whois access to
> whois.internic.net
> ExitPolicy accept       # whois access to whois.arin.net
> ExitPolicy accept        # whois access to
> whois.registro.br
> ExitPolicy accept       # whois access to whois.lacnic.net
> ExitPolicy accept       # whois access to whois.apnic.net
> ExitPolicy accept      # whois access to whois.krnic.net
> ExitPolicy accept     # whois access to
> whois.networksolutions.com
> ExitPolicy accept     # whois access to whois.nic.gov
> ExitPolicy accept      # whois access to whois.icann.org
> ExitPolicy accept      # whois access to whois.iana.org
> ExitPolicy reject *:43          # nicname whois
> ###---End of whois exit policy specifications
>     The relationship now between the exit counts for ports 43 and 443 in
> the
> last few days since I switched to with Nick's patch applied
> looks
> like this:
>  439 Exit to port 43
> 72052 Exit to port 443
> In other words, by restricting just port 43 exits to only the legitimate
> whois
> IP addresses, I eliminated at least 70% of *all* exits through my tor node,
> which suggests to me that the vast, overwhelming majority of exits from the
> tor network are illegitimate and place a terribly taxing load upon the tor
> network as a whole.  This apparent fact, in turn, suggests that if a) all
> tor nodes with an explicit exit policy were to restrict port 443 exits to
> just the legitimate port 43 IP addresses and b) the tor default exit policy
> did the same, a huge and illegitimate load would be lifted from the tor
> network
> overall.  If no relays offer exits to port 43 that don't go to the NICs'
> whois
> servers, well over half of all tor exits, which are illegitimate and
> undeserving of service in the first place, will be eliminated (not counting
> typical port 80 (http) traffic, of course).
>     Because my node's exit policy for port 80 (http) is not wide open, it
> is
> hard for me to estimate the relative importance of bogus port 43 requests
> w.r.t. legitimate port 80 (http) requests.  Because of my node's limited
> port
> 80 exit policy, I would be *very* interested in seeing exit counts for
> nodes
> with unrestricted exit policies for the combination of ports 43, 80, and
> 443
> in order to get a better idea of their relative importances.
>     Nevertheless, the impact of eliminating those exit opportunities can be
> expected to be quite significant in terms of performance of the network
> overall, particularly because circuits will not need to be built in the
> first
> place for such requests.  If even a few relays continue to offer
> unrestricted
> exits for port 43, they will get so badly hammered by all the bogus exit
> requests that they will cease to be important to normal operations of the
> tor
> network until such time as they may modify their exit policies to be more
> in
> tune with valid use of the tor network, rather than use by some sort of
> port
> scanner or whatever junk software is currently consuming so much of the tor
> network's resources, except to the extent that such non-conforming nodes
> would
> be incurring the cost of the circuits to reach them for the exit service.
>     Please note also that changing the default exit policy and most tor
> node's
> explicit exit policies to the above specification would not prevent tor
> exit
> node operators from adding other legitimate whois servers' IP addresses to
> their exit policies.
>     Therefore, I encourage all tor exit node operators to make the above
> described change to the exit policies of their exit nodes.  (Feel free to
> copy
> and paste.)  I further suggest that the default exit policy for tor be
> modified
> in all future releases of both the stable and development branches of tor
> to
> have the exit policy for port 43 shown above, as modified from time to time
> as
> the NICs' whois server addresses may change.
>     Comments are both welcome and encouraged.
>                                  Scott Bennett, Comm. ASMELG, CFIAG
> **********************************************************************
> * Internet:       bennett at cs.niu.edu                              *
> *--------------------------------------------------------------------*
> * "A well regulated and disciplined militia, is at all times a good  *
> * objection to the introduction of that bane of all free governments *
> * -- a standing army."                                               *
> *    -- Gov. John Hancock, New York Journal, 28 January 1790         *
> **********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090612/aec4443a/attachment-0001.htm>

More information about the tor-talk mailing list