eliminating bogus port 43 exits

grarpamp grarpamp at gmail.com
Sat Jun 13 01:54:25 UTC 2009

Being familiar with ISP practice in this area, it is why you examine
the content and what you do with the knowledge of the content
observed, be it stored in your head or on disk, that matters.

It's pretty well established that one may monitor traffic in a
general way in order to figure out what's up, make and enforce
policy and so on.

One cannot monitor/record a particular users's traffic and then
disclose that traffic or use it for/against them or oneself.

A few examples. Think about what is or is not legal and why.

1a - Any content based IDS such as bro.
1b - Any content based traffic shapers, balancers, etc.
1c - Any mail virus scanner, NetNanny, etc.
1d - Nagios, OpenNMS, netflow, HPOpenview, and so on.

You can sure bet the purveyors of these products do not develop
these systems in a pristine air gap lab environment using only
traffic they generated. And they are deployed on real data.

2 - Any ISP trying to figure out why their traffic just trended up
by 50% the last month. Any LAN admin trying to figure out why
their T1 is saturated.

3a - Any network research group, whether private, institutional or
white/gray/black. Bugtraq/FullDisclosure, Defcon presentations,
live demos, etc.
3b - That guy who snooped Tor and published embassy passwords.

4a - Employer x, checking up on adherance to corporate email policy,
reading random mails in the process.
4b - Finding out that you enjoy watching the mating habits of penuins
on PBS and then wondering why you have one or more fewer friends
in the lunchroom at work the next day.

5a - Social networking sites selling 'demographic and statistical'
data to places like Intelius.
5b - Google trolling your email to display targeted ads and do who
knows what else with.
5c - This call may be monitored or recorded.

These are all black areas that are hard to get internal facts about
unless you work deep inside where it happens. Some is ok, some is
untrustworthy, some is evil.

6 - The US govt itself, and other countries, with their tap the
entire internet projects. Some of this, and the handling of product
from it, is known to be illegal, it's just so black that no one has
been able to prove it yet.

7 - The thousands of networked entities that use netflow and other
statistical and content analysis tools 24x7x365 without concern.

8 - Public records requests for netflow data from public institutions.
Yes, they have had to disclose them.

It's safe to snoop port 43 for this purpose and say I found:
200 whois queries to known public servers x, y and z.
34 plaintext irc sessions to these public ircnets.
22 initial ssh fingerprints
16 encrypted sessions to somewhere inside the pentagon.

But not safe to say:
200 whois queries for these domains, some of which sent their domain
passwords over port 80 to the registrar, here's the tokens.
53 HTTP GET's to a hapless bank x, here's Tony's info
34 irc sessions of Linda and Mark cybering, check out this conversation.
38 encrypted sessions where I further MITM'd them and here's their

For the most part, in the US, an exit node operator is an ISP. They
are subject to common carrier, DMCA, ECPA and so on as it applies
to their role as an ISP. And ISP's also have the right to protect,
monitor, price and modify their nets as is standard industry practice.
And to shield themselves from potential liability or legal expenditure
and entanglement by dropping traffic that is too risky to handle, so
long as it's done agnostically.

If I were running an exit in the US, I'd be VERY happy to distill
any amount of stats, be it IP or content based, and post them here.
Including the number of times I saw the phrase 'I eat boogers' on
my wire. It's just stats.

And heck no, I'd never save or post the raw content, that's nuts.

IANAL, jail may occur, subscribe to NANOG, your lawyer, EFF, etc.

More information about the tor-talk mailing list