eliminating bogus port 43 exits

Anon Mus my.green.lantern at googlemail.com
Sat Jun 13 07:45:33 UTC 2009 

Roger Dingledine wrote:
> On Fri, Jun 12, 2009 at 03:51:25PM -0700, Kyle Williams wrote:
>   
>> I think "snooping" and "statistical information" should be treated
>> differently.  Take Scott's case here.  He is making a claim that by using
>> the exit policy outlined above, it would reduce the amount of traffic on tor
>> by 70% or whatever.  What I would like to see proof of is that the IP
>> addresses that are now being blocked are NOT running a WHOIS services.  How
>> do we know for sure that they are not in fact a valid WHOIS service?
>>     
>
> I would also be curious to learn the mean/median number of bytes that
> a given connection to port 43 takes. If it's a tiny amount, then it
> probably isn't responsible for 70% of Tor's traffic. If it's huge,
> then perhaps that means people are file-sharing over port 43.
>
>   

IMHO its unlikely that file sharers are ALL using port 43... you are 
more likely to see a wide spread of ports with high usage. I've found 
that sharers are not savvy enough to all pick port 43 because its more 
likely to be open. When I file share over TOR (once or twice a year 
max., to get seeding started, anonymously) I pick no particular port. 

Without a large anonymous Pron provider operating over TOR, its more 
likely that a very large organization (military - intell) has its own 
software communicating over TOR (hidden in ordinary port 43 "cover" 
traffic) on port 43. Obviously, this would be a globally distributed 
operation. Say... the US Mil&Intel. Of course, if its existence were 
discovered they would need to put up some sort of smokescreen, pointing 
the finger in the wrong direction, so to speak.

Of course... it could all be regular WHOIS traffic, as cover traffic, or 
just genuine. Maybe someone (MIL/GOV) has their own local WHOIS copy 
which is updated via TOR (??).

A little bloodhounding the port 43 IP addresses/domains would go a long 
way to seeing if they were at least all or mainly genuine WHOIS requests.  


snip..

> --Roger
>
>
>

More information about the tor-talk mailing list