grarpamp wrote: > One person's legit is another's bogus. It's always been that way. > Other than routing, the use of the internet is partly chaos and > it's not changing any time soon. "Packets found on an internet", > they exist, therefore they are, deal with it. So let's forget about > this port number legitimacy thing. > > Further, some of us are real world network operators. We routinely > sniff and record traffic as part of our jobs. In fact, if we did > not, we would be very ineffective in our positions. Sniff if you > want, don't if you don't. So we can also throw this argument out > the window as to each their own. > > What we really want to know as network operators is what exactly > IS going on in this case. And a simple count of SYN's is not enough > for some operators to make a decision regarding their rulesets. > > Because for all they know, that traffic may indeed be diplomatic > communications with the Borg that are keeping our planet from being > assimilated. And well, unless you're Borg, or wish to become one, > that's pretty legitimate :) > > Sniff that thing out, bring the full stats, write a whitepaper. > Operators will look at it and make their own choices. > > Storing/grokking a days worth of tcp/43 sessions to find what percent > of them have whois strings should be easy. As should tallying up > the top ten whois queries and a distribution curve. That could help > determine if it's some clients gone haywire or normal. Though > somewhat like a ping someone left running, over Tor you'd just have > to wait it out. Classifying and counting the non whois sessions > would be harder but definitely interesting. > > If I was running an exit I would have already done and posted this > for you all, but I'm not at the moment, so I can't. I yield the > podium to my esteemed and valued peers on this list :) > I can not agree. Sniffing the traffic at the exit node actually does jeopardize the reason people are using this software in the first place.
Jon
