[tor-talk] Problematic ORPorts
Mick
mbm at rlogin.net
Sat Jun 7 19:22:28 UTC 2014
On 7 June 2014 10:14:20 GMT+01:00, Roman Mamedov <rm at romanrm.net> wrote:
>Hello,
>
>Recently on this mailing list and on tor-relays there have been some
>cases
>when relay nodes using standard ports commonly used for other services
>as
>their ORPort cause issues with ISPs of someone else running a relay.
>
>Notably once a relay on port 53 have triggered "high DNS traffic
>anomaly" IDS
>warning from the provider and almost(?) had the user's account
>terminated. DNS
>port 53 is commonly used for DNS reflection DDoS attacks, and
>apparently now
>ISPs have deployed measures to detect (and misdetect) these.
>
>In one more case a relay on port 22 had the user suspicious that an SSH
>brute-forcing may be going on.
>
>And finally an ISP has suspended a relay node VPS of someone I know on
>a
>suspicion of "having been hacked"; there was no further information on
>the
>basis of such suspicion, but thinking about it, it's entirely plausible
>that
>many outgoing connections to port 22 could have been the trigger.
>
>Large amounts of traffic and a high count of open connections to these
>ports
>is now one (and perhaps the first) case when running a non-exit relay
>*may*
>get you in trouble with your provider.
>
>So my idea is, maybe consider making directory authorities blacklist
>some
>ports as being unacceptable as ORPorts, 22 and 53 come to mind for a
>start,
>along with maybe 25 to avoid false alarms from anti-spam
>countermeasures.
+1 that makes sense to me.
--
Sent from a mobile device.
More information about the tor-talk
mailing list