Delivery-Date: Sat, 07 Jun 2014 05:27:15 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by moria.seul.org (Postfix) with ESMTPS id A38CD1E0A64
	for <archiver@seul.org>; Sat,  7 Jun 2014 05:27:13 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id F17BF2EF25;
	Sat,  7 Jun 2014 09:27:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 705502F641
 for <tor-talk@lists.torproject.org>; Sat,  7 Jun 2014 09:15:03 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id G3AnYVNjwdyn for <tor-talk@lists.torproject.org>;
 Sat,  7 Jun 2014 09:15:03 +0000 (UTC)
Received: from mari.romanrm.net (mari.romanrm.net
 [IPv6:2400:8500:1301:801:157:7:203:202])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 36B342ED8A
 for <tor-talk@lists.torproject.org>; Sat,  7 Jun 2014 09:15:03 +0000 (UTC)
Received: from natsu (unknown [IPv6:fd39::a60:6eff:fef3:b5b3])
 by mari.romanrm.net (Postfix) with ESMTPS id 16251214CE
 for <tor-talk@lists.torproject.org>; Sat,  7 Jun 2014 09:14:23 +0000 (UTC)
Date: Sat, 7 Jun 2014 15:14:20 +0600
From: Roman Mamedov <rm@romanrm.net>
To: tor-talk@lists.torproject.org
Message-ID: <20140607151420.6cde8acd@natsu>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Subject: [tor-talk] Problematic ORPorts
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============5465470254653974356=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

--===============5465470254653974356==
Content-Type: multipart/signed; micalg=PGP-SHA1;
 boundary="Sig_/UCtJL15DQvo6jWPplki9flz"; protocol="application/pgp-signature"

--Sig_/UCtJL15DQvo6jWPplki9flz
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Hello,

Recently on this mailing list and on tor-relays there have been some cases
when relay nodes using standard ports commonly used for other services as
their ORPort cause issues with ISPs of someone else running a relay.

Notably once a relay on port 53 have triggered "high DNS traffic anomaly" I=
DS
warning from the provider and almost(?) had the user's account terminated. =
DNS
port 53 is commonly used for DNS reflection DDoS attacks, and apparently now
ISPs have deployed measures to detect (and misdetect) these.

In one more case a relay on port 22 had the user suspicious that an SSH
brute-forcing may be going on.

And finally an ISP has suspended a relay node VPS of someone I know on a
suspicion of "having been hacked"; there was no further information on the
basis of such suspicion, but thinking about it, it's entirely plausible that
many outgoing connections to port 22 could have been the trigger.

Large amounts of traffic and a high count of open connections to these ports
is now one (and perhaps the first) case when running a non-exit relay *may*
get you in trouble with your provider.

So my idea is, maybe consider making directory authorities blacklist some
ports as being unacceptable as ORPorts, 22 and 53 come to mind for a start,
along with maybe 25 to avoid false alarms from anti-spam countermeasures.

--=20
With respect,
Roman

--Sig_/UCtJL15DQvo6jWPplki9flz
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlOS1+wACgkQTLKSvz+PZwj7ZwCeMblDIFo5fz7WVPDaK3c7+BAT
l8UAnRsqDTnA0Be1ZTMBwXR/q7rkTh+4
=wGXt
-----END PGP SIGNATURE-----

--Sig_/UCtJL15DQvo6jWPplki9flz--

--===============5465470254653974356==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============5465470254653974356==--

