eliminating bogus port 43 exits

Scott Bennett bennett at cs.niu.edu
Sat Jun 13 07:59:30 UTC 2009

     On Sat, 13 Jun 2009 08:45:33 +0100 Anon Mus
<my.green.lantern at googlemail.com> wrote:
>Roger Dingledine wrote:
>> On Fri, Jun 12, 2009 at 03:51:25PM -0700, Kyle Williams wrote:
>>> I think "snooping" and "statistical information" should be treated
>>> differently.  Take Scott's case here.  He is making a claim that by using
>>> the exit policy outlined above, it would reduce the amount of traffic on tor
>>> by 70% or whatever.  What I would like to see proof of is that the IP
>>> addresses that are now being blocked are NOT running a WHOIS services.  How
>>> do we know for sure that they are not in fact a valid WHOIS service?
>> I would also be curious to learn the mean/median number of bytes that
>> a given connection to port 43 takes. If it's a tiny amount, then it
>> probably isn't responsible for 70% of Tor's traffic. If it's huge,
>> then perhaps that means people are file-sharing over port 43.
>IMHO its unlikely that file sharers are ALL using port 43... you are 
>more likely to see a wide spread of ports with high usage. I've found 
>that sharers are not savvy enough to all pick port 43 because its more 
>likely to be open. When I file share over TOR (once or twice a year 
>max., to get seeding started, anonymously) I pick no particular port. 
>Without a large anonymous Pron provider operating over TOR, its more 
>likely that a very large organization (military - intell) has its own 
>software communicating over TOR (hidden in ordinary port 43 "cover" 
>traffic) on port 43. Obviously, this would be a globally distributed 
>operation. Say... the US Mil&Intel. Of course, if its existence were 
>discovered they would need to put up some sort of smokescreen, pointing 
>the finger in the wrong direction, so to speak.

     That's an interesting observation.  I'm not involved in the P2P
file-sharing community, so I'm often unaware of the details.  I had hoped
that such activities would have been carried out over unassigned ports
and most certainly over only non-privileged ports.  Sigh.
>Of course... it could all be regular WHOIS traffic, as cover traffic, or 
>just genuine. Maybe someone (MIL/GOV) has their own local WHOIS copy 
>which is updated via TOR (??).

     Fat chance, IMO.
>A little bloodhounding the port 43 IP addresses/domains would go a long 
>way to seeing if they were at least all or mainly genuine WHOIS requests.  
     I remain resolutely opposed to any exit content snooping.  Nevertheless,
this does bring up something I forgot in my earlier followups tonight.
Because my exit policy so severely limits port 80 (http) exits, I have no
usable statistics to give me an idea of the relative frequencies of port 43
or port 443 exits to port 80 exits.  If someone running an exit node that
allows unrestricted exits to all three of these ports, I would like very much
to see your numbers.

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *

More information about the tor-talk mailing list