eliminating bogus port 43 exits

Scott Bennett bennett at cs.niu.edu
Sat Jun 13 10:02:18 UTC 2009

     On Sat, 13 Jun 2009 10:46:26 +0200 Dominik Schaefer <schaedpq2 at gmx.de>
>On 12.06.09 09:29, Scott Bennett wrote:
>> This apparent fact, in turn, suggests that if a) all tor nodes with an
>> explicit exit policy were to restrict port 443 exits to just the legitimate
>> port 43 IP addresses and b) the tor default exit policy did the same, a
>> huge and illegitimate load would be lifted from the tor network overall. If
>> no relays offer exits to port 43 that don't go to the NICs' whois servers,
>> well over half of all tor exits, which are illegitimate and undeserving of
>> service in the first place, ...
>My comment is very basic and related to one somebody else already made, but
>IMHO it should not vanish in the discussion:
>What definition of 'illegitimate' do you use? Even if traffic to some port 43


>is not a request for a whois server, why should that be illegitimate?

     Because port 43 is a privileged, reserved port for that function.  There
are tens of thousands of unprivileged, unreserved ports available for use for
whatever anyone wants to do with them, subject only to the possibility that
there is no guarantee that any of those ports will remain unreserved.  Use of
privileged, reserved ports is fraught with risks from conflicts with the
officially allocated uses.  The uses for which some port numbers are reserved
are indeed the legitimate uses.  Certainly, there is nothing in TCP to prevent
any reserved port number for being used for a different purpose than that for
which the port is reserved, but it is unwise to do so in most cases.

>Transferring specific data to/from specific ports is (thanks <divine being of
>choice>) not compulsory. Many Tor nodes operate the OR port on 80 or 443, but
>clearly don't transfer HTTP traffic. Does that make it illegitimate traffic?

     In principle, yes.  However, many of us do choose to offer tor access at
those port numbers because the unreserved, unprivileged port numbers have been
unreasonably blocked by certain controlling agencies.  To the best of my
knowledge, there has been no such concerted effort to block services like
whois, rwhois, and so forth.  I suppose it is also worth noting that the whois
function is one of the basic functions used to call up information necessary
to proper maintenance of Internet operation, whereas something like tor is not.

>And if yes: does everyone operating a whois server would have to register
>somewhere, so that the Tor developers/operators can include its IP into the
>(default) exit policy?

     Apparently not, although that would certainly make things more convenient.
>There may be people using port 43 for something 'illegitimate' (depending on
>definition), but you cannot deduce this from that the fact that a large
>percentage of your port 43 traffic is not addressed to one of 43 IP addresses.

     Yes, I obviously forgot about the ccTLD whois servers.  I will attempt to
add those that are not already covered by the ones in the list I posted, and
when I have data based upon an exit policy that includes those servers, I will
post an update to the list.  I do not know offhand how to deal with the issue
of private/unofficial whois servers, except that I doubt we should worry about
providing access to them via tor.
     I still find it difficult to believe that there are so many genuine whois
requests being proxied through tor--note that the standard whois(1) does not
have a way to specify the use of a proxy, so something like proxychains(1) is
required in order to funnel whois requests through tor--that they so
dramatically outnumber https requests.  It's *just* *not* *credible*.  Without
solid evidence to the contrary, it would not be credible even if it did not
require that special efforts be made to trap and redirect the normal whois TCP
connections through tor, but that it does require that special effort makes the
notion even less believable.
     That having been said, the use of IP addresses of known, legitimate whois
servers is the only method that has occurred to me so far to allow genuine
whois request to pass through the tor network while also excluding the high
volume of non-whois connections masquerading as whois connections.  This in no
way denies the problem of obtaining/maintaining a complete or accurate list
of real whois server.

>Of course, everyone is free to restrict his Tor node as he likes, but calling
>for a default restriction is IMHO not justified without more information.
     More information is, of course, always a good idea and should be welcomed,
provided it is obtained by means that are both ethical and legal.  In fact, if
you're running an exit, would you be willing to provide some numbers regarding
the relative exit counts on your node for ports 43, 80, 443, and 4321?

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *

More information about the tor-talk mailing list