eliminating bogus port 43 exits

Jon scream at nonvocalscream.com
Sat Jun 13 20:58:25 UTC 2009

Hash: SHA1

Ted Smith wrote:
> On Sat, 2009-06-13 at 13:48 -0600, Jon wrote:
>> grarpamp wrote:
>>> One person's legit is another's bogus. It's always been that way.
>>> Other than routing, the use of the internet is partly chaos and
>>> it's not changing any time soon. "Packets found on an internet",
>>> they exist, therefore they are, deal with it. So let's forget about
>>> this port number legitimacy thing.
>>> Further, some of us are real world network operators. We routinely
>>> sniff and record traffic as part of our jobs. In fact, if we did
>>> not, we would be very ineffective in our positions. Sniff if you
>>> want, don't if you don't. So we can also throw this argument out
>>> the window as to each their own.
>>> What we really want to know as network operators is what exactly
>>> IS going on in this case. And a simple count of SYN's is not enough
>>> for some operators to make a decision regarding their rulesets.
>>> Because for all they know, that traffic may indeed be diplomatic
>>> communications with the Borg that are keeping our planet from being
>>> assimilated. And well, unless you're Borg, or wish to become one,
>>> that's pretty legitimate :)
>>> Sniff that thing out, bring the full stats, write a whitepaper.
>>> Operators will look at it and make their own choices.
>>> Storing/grokking a days worth of tcp/43 sessions to find what percent
>>> of them have whois strings should be easy. As should tallying up
>>> the top ten whois queries and a distribution curve. That could help
>>> determine if it's some clients gone haywire or normal. Though
>>> somewhat like a ping someone left running, over Tor you'd just have
>>> to wait it out. Classifying and counting the non whois sessions
>>> would be harder but definitely interesting.
>>> If I was running an exit I would have already done and posted this
>>> for you all, but I'm not at the moment, so I can't. I yield the
>>> podium to my esteemed and valued peers on this list :)
>> I can not agree.  Sniffing the traffic at the exit node actually does
>> jeopardize the reason people are using this software in the first place.
>> Jon
> My understanding is that the Tor network provides some measure of
> *anonymity* regardless of whether the exit node listens to traffic.
> Certainly the reason for using Tor is not to magically protect your
> traffic from every being eavesdropped upon -- only end-to-end crypto can
> do that.
> Is this false? I ask out of genuine concern, because if exit nodes have
> to be trusted not to snoop on data for Tor to work properly (providing
> anonymity), Tor is not what I thought it was.
The tor network can not encrypt data leaving the edge of tor.  That is
to say, once data has left it's last hop, towards the site (or
service) the data is in the clear.  There is no way for Tor to
magically protect your data from eavesdropping.  I am however,
attempting to discourage eavesdropping by operators.

Just because you can do something, does not always mean you should, is
my thought.  We should also encourage end to end encryption.


Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the tor-talk mailing list