eliminating bogus port 43 exits

Alexander Cherepanov cherepan at mccme.ru
Mon Jun 15 17:26:05 UTC 2009

Hello, Scott!
You wrote to "Alexander Cherepanov" <cherepan at mccme.ru>, or-talk at freehaven.net on Mon, 15 Jun 2009 02:43:49 -0500 (CDT):

>>> Having a set of standard port numbers at which
>>> one may expect to access standard services is valuable,
>>Sure it is valuable but AFAIU tor is not there to bring order back to
>      That is true, but did anyone say that that was tor's purpose?  I don't
> recall ever seeing such a proposition before on this list or anywhere else,
> for that matter.

I just want to say that ports should not be blocked before there is 
hard data about the nature of the problem.

>      To recap a moment, I'll point out that when I originally posted some
> exit statistics here in late April or early May covering about 60 days of
> operation, the exit count for port 43 was huge in comparison to the counts
> for all other ports and even in comparison to the total count for all other
> ports combined.  It seemed to me a bit weird, so I asked the list for any
> thoughts people might have as to how to explain the high port 43 count.
> The responses I remember seeing at the time suggested that it was not due,
> in fact, to whois traffic, but more likely to port scanners or other malware
> operations.  The port scanner explanation struck me as rather weak at that
> time because the other wide open ports didn't show numbers of that magnitude
> except for port 443, and the port 443 exit counts seemed eminently reasonable.

I don't see how port scanning can be responsible for such 
disproportinal use of port 43. 

My guess is that it's whois traffic. Maybe someone tries to rip whois 
database for some reason. Or some public whois lookup service routes 
their requests through tor. Or phishers search for good domains. Or 
malware fighters try to find Conficker domains. Who knows...

>      I have proceeded since then on the premise that most of the port 43 exit
> traffic was not, in fact, whois traffic.  I do want to provide service to
> whois traffic on port 43, but not to other traffic using that port because
> such traffic places an a heavy burden on the tor network and is most likely
> for unpleasant purposes, according to the responses on the list.  Thinking

Suppose someone wants to bypass request rate/ip limit of whois 
services. Should it be blocked, in your opinion?

> that I could come up with a list of whois server IP addresses, I decided to
> limit port 43 exits to just such a list.  Any whois traffic using other port
> numbers would simply have to deal with whatever exit policy applied to the
> port number chosen for it.  I figured that the vast majority of whois traffic
> would use port 43, so any that didn't wasn't something I should worry about
> extensively.  So I tried it, and lo and behold, the port 43 exit count dropped
> to levels that I could believe were really representative of actual whois
> traffic.

This is interesting because it refutes that it was whois traffic 
originally. But without ccTLD it's hard to say.

IMHO at least destination ip addresses should be analyzed. I don't run 
tor node so cannot help here, sorry.

>      Then a couple of days ago after I posted information about new results,
> it was pointed out that I had missed a large number of official whois servers.
> So I went back and added their addresses.  Unfortunately, was not
> able to publish its descriptor bearing the additional exit policy information,
> so for the time being, I've simply closed port 43 to exits through my relay.
> Whenever I'm informed that the bug has been fixed, I'll try again.

Quick stat from my cached-descriptors.

Total number of routers -- 1747.
Number of routers with policy "reject *:*" -- 742.
Other router are as follows:

  policy          #       lines   lines/#         max     max2
  whitelist        708    14806   20.91           621     36
  blacklist        297     4733   15.94           315     52
  total           1005    19539   19.44

Whitelist policy is a the one ending with "accept *:*". Blacklist 
policy is the one ending with "reject *:*".

There are two outstanding routers. First, che with 621 lines of policy 
containing a long list of banned ips. Second, your MYCROFTsOtherChild 
with 315 lines of policy. All other exit routers have exit policy with 
<=52 lines with the average of about 20 lines.

Just some food for thought.

>>P.S. There is neither X-Mailer nor User-Agent headers in your mails. 
>>That's cool but missing In-Reply-To and References is annoying. Do you 
>>use some email sanitizing software or just hardened MUA? If it's not a 
>>secret of course:-)
>      mailx(1).

Hm, I have just tried mailx on FreeBSD 7.0 and it adds In-Reply-To:
header to replies. heirloom-mailx does it since 2001. So is it a 
problem with your setup, additional hardening or what?
But please fix it anyway.

And while we at it, please don't send me personal copies of your 
answers, sending it to the list is enough. According to 
http://archives.seul.org/or/talk/ , "you cannot post to the mailing 
list unless you subscribe first". So everybody you are answering on 
this list will get your reply through the list.

Alexander Cherepanov

More information about the tor-talk mailing list