Delivery-Date: Sat, 07 Jun 2014 15:27:28 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by moria.seul.org (Postfix) with ESMTPS id D7C441E0A5A
	for <archiver@seul.org>; Sat,  7 Jun 2014 15:27:26 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 4BAD82F965;
	Sat,  7 Jun 2014 19:27:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A106C2F955
 for <tor-talk@lists.torproject.org>; Sat,  7 Jun 2014 19:26:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id u8qQy4KitKda for <tor-talk@lists.torproject.org>;
 Sat,  7 Jun 2014 19:26:04 +0000 (UTC)
Received: from smtp.rlogin.net (pipe.rlogin.net [213.138.100.26])
 by eugeni.torproject.org (Postfix) with ESMTP id 771B82F954
 for <tor-talk@lists.torproject.org>; Sat,  7 Jun 2014 19:26:04 +0000 (UTC)
Received: from [192.168.5.17] (89-164-112-108.dsl.iskon.hr [89.164.112.108])
 by smtp.rlogin.net (Postfix) with ESMTPSA id 19E7D420E0
 for <tor-talk@lists.torproject.org>; Sat,  7 Jun 2014 20:26:00 +0100 (BST)
User-Agent: K-9 Mail for Android
In-Reply-To: <20140607151420.6cde8acd@natsu>
References: <20140607151420.6cde8acd@natsu>
MIME-Version: 1.0
From: Mick <mbm@rlogin.net>
Date: Sat, 07 Jun 2014 20:22:28 +0100
To: tor-talk@lists.torproject.org
Message-ID: <2eecf308-9057-4500-ac06-5c37a3a7d183@email.android.com>
Subject: Re: [tor-talk] Problematic ORPorts
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 7 June 2014 10:14:20 GMT+01:00, Roman Mamedov <rm@romanrm.net> wrote:
>Hello,
>
>Recently on this mailing list and on tor-relays there have been some
>cases
>when relay nodes using standard ports commonly used for other services
>as
>their ORPort cause issues with ISPs of someone else running a relay.
>
>Notably once a relay on port 53 have triggered "high DNS traffic
>anomaly" IDS
>warning from the provider and almost(?) had the user's account
>terminated. DNS
>port 53 is commonly used for DNS reflection DDoS attacks, and
>apparently now
>ISPs have deployed measures to detect (and misdetect) these.
>
>In one more case a relay on port 22 had the user suspicious that an SSH
>brute-forcing may be going on.
>
>And finally an ISP has suspended a relay node VPS of someone I know on
>a
>suspicion of "having been hacked"; there was no further information on
>the
>basis of such suspicion, but thinking about it, it's entirely plausible
>that
>many outgoing connections to port 22 could have been the trigger.
>
>Large amounts of traffic and a high count of open connections to these
>ports
>is now one (and perhaps the first) case when running a non-exit relay
>*may*
>get you in trouble with your provider.
>
>So my idea is, maybe consider making directory authorities blacklist
>some
>ports as being unacceptable as ORPorts, 22 and 53 come to mind for a
>start,
>along with maybe 25 to avoid false alarms from anti-spam
>countermeasures.

+1 that makes sense to me.


-- 
Sent from a mobile device. 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

