On 7 June 2014 10:14:20 GMT+01:00, Roman Mamedov <[email protected]> wrote: >Hello, > >Recently on this mailing list and on tor-relays there have been some >cases >when relay nodes using standard ports commonly used for other services >as >their ORPort cause issues with ISPs of someone else running a relay. > >Notably once a relay on port 53 have triggered "high DNS traffic >anomaly" IDS >warning from the provider and almost(?) had the user's account >terminated. DNS >port 53 is commonly used for DNS reflection DDoS attacks, and >apparently now >ISPs have deployed measures to detect (and misdetect) these. > >In one more case a relay on port 22 had the user suspicious that an SSH >brute-forcing may be going on. > >And finally an ISP has suspended a relay node VPS of someone I know on >a >suspicion of "having been hacked"; there was no further information on >the >basis of such suspicion, but thinking about it, it's entirely plausible >that >many outgoing connections to port 22 could have been the trigger. > >Large amounts of traffic and a high count of open connections to these >ports >is now one (and perhaps the first) case when running a non-exit relay >*may* >get you in trouble with your provider. > >So my idea is, maybe consider making directory authorities blacklist >some >ports as being unacceptable as ORPorts, 22 and 53 come to mind for a >start, >along with maybe 25 to avoid false alarms from anti-spam >countermeasures.
+1 that makes sense to me. -- Sent from a mobile device. -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
