eliminating bogus port 43 exits

Roger Dingledine arma at mit.edu
Fri Jun 12 23:32:24 UTC 2009

On Fri, Jun 12, 2009 at 03:51:25PM -0700, Kyle Williams wrote:
> I think "snooping" and "statistical information" should be treated
> differently.  Take Scott's case here.  He is making a claim that by using
> the exit policy outlined above, it would reduce the amount of traffic on tor
> by 70% or whatever.  What I would like to see proof of is that the IP
> addresses that are now being blocked are NOT running a WHOIS services.  How
> do we know for sure that they are not in fact a valid WHOIS service?

I would also be curious to learn the mean/median number of bytes that
a given connection to port 43 takes. If it's a tiny amount, then it
probably isn't responsible for 70% of Tor's traffic. If it's huge,
then perhaps that means people are file-sharing over port 43.

> So, Andrew, would running 'iptraf' on a exit node to see the amount of
> bandwidth that is being used or what IP/ports are being connected be
> considered "wire tapping"?
> I'm not trying to start an argument, I'm just trying to figure out how a
> researcher can do his/her work, get real answers, without crossing the line
> of "wire tapping".  That's all.

This question is an ongoing debate in the legal world. Here's a bit
of background (from a non-lawyer).

There are two categories to consider here: wiretapping and pen
registers. Wiretapping considers content, and is really bad to do. Pen
registers consider addressing information -- who is involved in the call
but not what they're saying. (Yes, "call" -- think of all communications
like phone calls, and you'll be getting into the spirit of the law.)

While wiretapping is "right out", pen registers are a much more gray
area. In practice, so far, and especially if you're doing it to improve
the quality of service, and you don't upset the wrong people, and a few
other disclaimers and caveats, nobody's going to bother you *legally*
for pen registering your Tor.

That means we can get down to the real question, which imo is: if you're
going to collect info like that from your Tor, how should you do it in a
way that keeps everybody actually safe? Not publishing specific addresses
is a must -- not even letting them touch disk seems like a good move too.

We've been wrestling with this question in the context of collecting
aggregate performance and usage data from Tor so we can start resolving
our speed problems. See for example the last few paragraphs of


More information about the tor-talk mailing list