eliminating bogus port 43 exits

Tim Wilde tim at krellis.org
Fri Jun 12 11:54:55 UTC 2009

On 6/12/2009 3:29 AM, Scott Bennett wrote:
> In other words, by restricting just port 43 exits to only the legitimate whois
> IP addresses, I eliminated at least 70% of *all* exits through my tor node,
> which suggests to me that the vast, overwhelming majority of exits from the
> tor network are illegitimate and place a terribly taxing load upon the tor
> network as a whole.


Thanks for your continued analysis, this is interesting information.
However, the list of WHOIS servers you mentioned (and I snipped for
brevity) is by no means a complete set of "the legitimate WHOIS IP
addresses".  In fact, it's much much too small to draw any significant
conclusions, for at least two major reasons:

1) Any .com or .net WHOIS queries that hit whois.verisign-grs.com (aka
whois.internic.net in your list) with a legitimate domain name will
result in a referral to an individual registrar's WHOIS server, which
will often be followed by the client, and would not be allowed by your
exit policy.  There are potentially tens of thousands of these registrar
WHOIS servers out there.

2) Your list significantly excludes all ccTLD WHOIS servers.  While the
numbers of domains registered in ccTLDs are not significant compared to
.com/.net, their use is quite popular in a number of places,
particularly in some where Tor is also quite popular, ie Germany.

I'd be interested in seeing a comparison done with a more significantly
complete list.  I understand you feel very strongly about sampling the
contents of the traffic, and that's perfectly understandable and
appropriate, but it is probably the only way to actually make a firm
determination of how much of this exit traffic really is WHOIS, without
crafting a VERY large Exit policy.  It may be possible, with
appropriately engineered tools, to sample the traffic in a suitably
anonymous way but still draw some conclusions, perhaps by simply
attempting to determine if the TCP session involves mostly text or
binary data.  That may still be a bit too intrusive, so I suppose we
might just never know.

Given these shortcomings in the list, I definitely wouldn't suggest that
such a list be considered a "default", as you'll be blocking a
potentially significant amount of legitimate WHOIS traffic.

If you do attempt to dig up a more complete list of WHOIS servers, I'd
certainly be interested to see what you come up with, but of course
understand you're doing this all on your own time and dime, and would
never suggest that you're by any means obligated to do so. :)

Best Regards,

More information about the tor-talk mailing list