eliminating bogus port 43 exits

Jon scream at nonvocalscream.com
Sat Jun 13 19:48:49 UTC 2009


grarpamp wrote:
> One person's legit is another's bogus. It's always been that way.
> Other than routing, the use of the internet is partly chaos and
> it's not changing any time soon. "Packets found on an internet",
> they exist, therefore they are, deal with it. So let's forget about
> this port number legitimacy thing.
>
> Further, some of us are real world network operators. We routinely
> sniff and record traffic as part of our jobs. In fact, if we did
> not, we would be very ineffective in our positions. Sniff if you
> want, don't if you don't. So we can also throw this argument out
> the window as to each their own.
>
> What we really want to know as network operators is what exactly
> IS going on in this case. And a simple count of SYN's is not enough
> for some operators to make a decision regarding their rulesets.
>
> Because for all they know, that traffic may indeed be diplomatic
> communications with the Borg that are keeping our planet from being
> assimilated. And well, unless you're Borg, or wish to become one,
> that's pretty legitimate :)
>
> Sniff that thing out, bring the full stats, write a whitepaper.
> Operators will look at it and make their own choices.
>
> Storing/grokking a days worth of tcp/43 sessions to find what percent
> of them have whois strings should be easy. As should tallying up
> the top ten whois queries and a distribution curve. That could help
> determine if it's some clients gone haywire or normal. Though
> somewhat like a ping someone left running, over Tor you'd just have
> to wait it out. Classifying and counting the non whois sessions
> would be harder but definitely interesting.
>
> If I was running an exit I would have already done and posted this
> for you all, but I'm not at the moment, so I can't. I yield the
> podium to my esteemed and valued peers on this list :)
>   
I can not agree.  Sniffing the traffic at the exit node actually does
jeopardize the reason people are using this software in the first place.

Jon



More information about the tor-talk mailing list