--- On Thu, 4/16/09, Scott Bennett <[email protected]> wrote:
> >There are plenty of other ports to do this on, though -
> >many of them far more common than 1080 (and SOCKS) nowadays.
> >
>      Right.  I think I'll hold off a bit longer to see
> what other comments
> people may make here before I close that port.
>      BTW, I am still very interested in reading any
> comments people may have
> regarding patterns or anything else they notice in the exit
> counts that I posted here.
> I looked for the most obvious stuff, but there may be other
> weirder stuff going on involving port numbers that had
> fewer, yet still significant numbers of, exits.
My guess is that this wide range of used ports is caused by port scanners.
The reason, IMHO, that they have seemingly different (read random) usage counts 
is because the tor-network chooses exit points on its own, and thus some 
probes, from same origin, are being directed at other exit-points rather than 
all to yours.
These port probes/scans don't all have to be necessarily ill-minded, because 
some users might as well have done probes to their own machines to check for 
security.
You might get better decision making arguments for your self if you could 
correlate the port usage with client requests.
That way you could see if they are indeed port-range probes.
Normally you would log IP#'s, but with the tor-network as origin that kind-of 
is out of the question.
Im not sure if you can somehow intercept the tor-client-ID, or whatever it's 
called that's unique, that originated the connection.
IMHO, it's rather a bad decision to allow _all_ ports to be used for exit.
A better one would be, again IMHO, open a list of ports used by "normal-use of 
the tor-network", and block the rest.
By "normal-use of the tor-network" i mean: The software that people, who use 
this network with non-ill intentions, use.
Or if you reverse the idea, you get: The software that people with 
ill-intentions would most likely use. (and block those ports)
For me personally the ports that all exit-points should allow is (IMHO):
Web (80,443), Pop3 (*), NNTP (*), DNS (53), Torrent (default 6881), FTP (20/21).
(*) These are gray-area IMHO because they are more likely used for "ill" as 
"non-ill" -behavior over the tor-network intentions.
Example why i dont list other ports like telnet:
If a user uses telnet to connect to some machine, his/her identity is normally 
known on that machine otherwise that user would not have a telnet account, thus 
eliminating the need to connect using the tor-network.
When you apply that logic to any port you want to open/close, you will come to 
good reasons why to open or close it.

(Whoa sometimes i have to restrain myself when thinking aloud in text)

Anyway gl.


      

Reply via email to