eliminating bogus port 43 exits

Scott Bennett bennett at cs.niu.edu
Mon Jun 15 07:43:49 UTC 2009

     On Sun, 14 Jun 2009 14:42:16 +0400 "Alexander Cherepanov"
<cherepan at mccme.ru> wrote:
>You wrote to or-talk at seul.org, scream at nonvocalscream.com on Sun, 14 Jun 2009 01:15:43 -0500 (CDT):
>>      Now, another person on this list has argued that the RFC's should be
>> ignored and that IANA should be ignored.  I remain unconvinced that doing
>> either would be a good idea.
>The main discord here seems to arise from totally different approaches 
>to the question. You are building a whitelist while default tor exit 
>policy is a blacklist. IMHO it's hard to constructively discuss amending 
>blacklist from whitelist POV.

     Actually, the default policy does neither.  It simply allows exits to
most ports and blocks exits to a few.  IIRC, vidalia takes a different
approach, defaulting to a relay only configuration.
>> Having a set of standard port numbers at which
>> one may expect to access standard services is valuable,
>Sure it is valuable but AFAIU tor is not there to bring order back to

     That is true, but did anyone say that that was tor's purpose?  I don't
recall ever seeing such a proposition before on this list or anywhere else,
for that matter.
     To recap a moment, I'll point out that when I originally posted some
exit statistics here in late April or early May covering about 60 days of
operation, the exit count for port 43 was huge in comparison to the counts
for all other ports and even in comparison to the total count for all other
ports combined.  It seemed to me a bit weird, so I asked the list for any
thoughts people might have as to how to explain the high port 43 count.
The responses I remember seeing at the time suggested that it was not due,
in fact, to whois traffic, but more likely to port scanners or other malware
operations.  The port scanner explanation struck me as rather weak at that
time because the other wide open ports didn't show numbers of that magnitude
except for port 443, and the port 443 exit counts seemed eminently reasonable.
     I have proceeded since then on the premise that most of the port 43 exit
traffic was not, in fact, whois traffic.  I do want to provide service to
whois traffic on port 43, but not to other traffic using that port because
such traffic places an a heavy burden on the tor network and is most likely
for unpleasant purposes, according to the responses on the list.  Thinking
that I could come up with a list of whois server IP addresses, I decided to
limit port 43 exits to just such a list.  Any whois traffic using other port
numbers would simply have to deal with whatever exit policy applied to the
port number chosen for it.  I figured that the vast majority of whois traffic
would use port 43, so any that didn't wasn't something I should worry about
extensively.  So I tried it, and lo and behold, the port 43 exit count dropped
to levels that I could believe were really representative of actual whois
     Then a couple of days ago after I posted information about new results,
it was pointed out that I had missed a large number of official whois servers.
So I went back and added their addresses.  Unfortunately, was not
able to publish its descriptor bearing the additional exit policy information,
so for the time being, I've simply closed port 43 to exits through my relay.
Whenever I'm informed that the bug has been fixed, I'll try again.
>P.S. There is neither X-Mailer nor User-Agent headers in your mails. 
>That's cool but missing In-Reply-To and References is annoying. Do you 
>use some email sanitizing software or just hardened MUA? If it's not a 
>secret of course:-)

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *

More information about the tor-talk mailing list