Hi Scott, Got a couple of questions.
- Have you looked deeper into the request for port 43, using tcpdump or Wireshark? - Do you KNOW that it is a WHOIS request, not OpenVPN or something else running on the WHOIS port? - Have you logged what IP's are being connected to? I just curious, as this seems to be really odd to me that so many WHOIS request are going through Tor. I'm almost curious enough to run a exit node now just to see what might be going on. - Kyle On Fri, Jun 12, 2009 at 12:29 AM, Scott Bennett <[email protected]> wrote: > A bit over a month ago, I posted here some exit statistics by port > number. > One major oddity among them was the count of port 43 (whois) exits, which > seemed extraordinarily large, especially in relation to the counts for > other, > more expectedly popular port numbers. Some of the comments I got in > response > gave me an idea. In the what follows here, keep in mind that the second > most > frequently occurring exit port number in the statistics previously reported > was 443 (https), and that the count of port 43 exits was in the millions > when > the count of port 443 exits was several hundred thousand. It is important > to > note that my node's exit policy regarding port 80 (http) is highly > restrictive, > resulting in very low exit counts for that port. Keeping that in mind, the > exit counts for almost all other ports were not and are not similarly > restricted. > I replaced the "ExitPolicy accept *:43" in my torrc file with the > following: > > ###---Limited list of allowed whois exit addresses > ExitPolicy accept 192.103.19.12:43 # whois access to whois.6bone.net > ExitPolicy accept 192.149.252.44:43 # whois access to whois.arin.net > ExitPolicy accept 193.0.0.135:43 # whois access to whois.ripe.net > ExitPolicy accept 194.85.119.77:43 # whois access to whois.ripn.net > ExitPolicy accept 196.216.2.1:43 # whois access to > whois.afrinic.net > ExitPolicy accept 198.108.0.18:43 # whois access to > whois.ra{,db}.net > ExitPolicy accept 199.7.51.74:43 # whois access to whois.crsnic.net > ExitPolicy accept 199.7.55.74:43 # whois access to > whois.internic.net > ExitPolicy accept 199.43.0.144:43 # whois access to whois.arin.net > ExitPolicy accept 200.160.2.3:43 # whois access to > whois.registro.br > ExitPolicy accept 200.160.2.15:43 # whois access to whois.lacnic.net > ExitPolicy accept 202.12.29.13:43 # whois access to whois.apnic.net > ExitPolicy accept 202.30.50.120:43 # whois access to whois.krnic.net > ExitPolicy accept 205.178.188.12:43 # whois access to > whois.networksolutions.com > ExitPolicy accept 206.51.224.229:43 # whois access to whois.nic.gov > ExitPolicy accept 208.77.188.18:43 # whois access to whois.icann.org > ExitPolicy accept 208.77.188.87:43 # whois access to whois.iana.org > ExitPolicy reject *:43 # nicname whois > ###---End of whois exit policy specifications > > The relationship now between the exit counts for ports 43 and 443 in > the > last few days since I switched to 0.2.1.15-rc with Nick's patch applied > looks > like this: > > 439 Exit to port 43 > 72052 Exit to port 443 > > In other words, by restricting just port 43 exits to only the legitimate > whois > IP addresses, I eliminated at least 70% of *all* exits through my tor node, > which suggests to me that the vast, overwhelming majority of exits from the > tor network are illegitimate and place a terribly taxing load upon the tor > network as a whole. This apparent fact, in turn, suggests that if a) all > tor nodes with an explicit exit policy were to restrict port 443 exits to > just the legitimate port 43 IP addresses and b) the tor default exit policy > did the same, a huge and illegitimate load would be lifted from the tor > network > overall. If no relays offer exits to port 43 that don't go to the NICs' > whois > servers, well over half of all tor exits, which are illegitimate and > undeserving of service in the first place, will be eliminated (not counting > typical port 80 (http) traffic, of course). > Because my node's exit policy for port 80 (http) is not wide open, it > is > hard for me to estimate the relative importance of bogus port 43 requests > w.r.t. legitimate port 80 (http) requests. Because of my node's limited > port > 80 exit policy, I would be *very* interested in seeing exit counts for > nodes > with unrestricted exit policies for the combination of ports 43, 80, and > 443 > in order to get a better idea of their relative importances. > Nevertheless, the impact of eliminating those exit opportunities can be > expected to be quite significant in terms of performance of the network > overall, particularly because circuits will not need to be built in the > first > place for such requests. If even a few relays continue to offer > unrestricted > exits for port 43, they will get so badly hammered by all the bogus exit > requests that they will cease to be important to normal operations of the > tor > network until such time as they may modify their exit policies to be more > in > tune with valid use of the tor network, rather than use by some sort of > port > scanner or whatever junk software is currently consuming so much of the tor > network's resources, except to the extent that such non-conforming nodes > would > be incurring the cost of the circuits to reach them for the exit service. > Please note also that changing the default exit policy and most tor > node's > explicit exit policies to the above specification would not prevent tor > exit > node operators from adding other legitimate whois servers' IP addresses to > their exit policies. > Therefore, I encourage all tor exit node operators to make the above > described change to the exit policies of their exit nodes. (Feel free to > copy > and paste.) I further suggest that the default exit policy for tor be > modified > in all future releases of both the stable and development branches of tor > to > have the exit policy for port 43 shown above, as modified from time to time > as > the NICs' whois server addresses may change. > Comments are both welcome and encouraged. > > > Scott Bennett, Comm. ASMELG, CFIAG > ********************************************************************** > * Internet: bennett at cs.niu.edu * > *--------------------------------------------------------------------* > * "A well regulated and disciplined militia, is at all times a good * > * objection to the introduction of that bane of all free governments * > * -- a standing army." * > * -- Gov. John Hancock, New York Journal, 28 January 1790 * > ********************************************************************** >
