A bit over a month ago, I posted here some exit statistics by port number. One major oddity among them was the count of port 43 (whois) exits, which seemed extraordinarily large, especially in relation to the counts for other, more expectedly popular port numbers. Some of the comments I got in response gave me an idea. In the what follows here, keep in mind that the second most frequently occurring exit port number in the statistics previously reported was 443 (https), and that the count of port 43 exits was in the millions when the count of port 443 exits was several hundred thousand. It is important to note that my node's exit policy regarding port 80 (http) is highly restrictive, resulting in very low exit counts for that port. Keeping that in mind, the exit counts for almost all other ports were not and are not similarly restricted. I replaced the "ExitPolicy accept *:43" in my torrc file with the following:
###---Limited list of allowed whois exit addresses ExitPolicy accept 192.103.19.12:43 # whois access to whois.6bone.net ExitPolicy accept 192.149.252.44:43 # whois access to whois.arin.net ExitPolicy accept 193.0.0.135:43 # whois access to whois.ripe.net ExitPolicy accept 194.85.119.77:43 # whois access to whois.ripn.net ExitPolicy accept 196.216.2.1:43 # whois access to whois.afrinic.net ExitPolicy accept 198.108.0.18:43 # whois access to whois.ra{,db}.net ExitPolicy accept 199.7.51.74:43 # whois access to whois.crsnic.net ExitPolicy accept 199.7.55.74:43 # whois access to whois.internic.net ExitPolicy accept 199.43.0.144:43 # whois access to whois.arin.net ExitPolicy accept 200.160.2.3:43 # whois access to whois.registro.br ExitPolicy accept 200.160.2.15:43 # whois access to whois.lacnic.net ExitPolicy accept 202.12.29.13:43 # whois access to whois.apnic.net ExitPolicy accept 202.30.50.120:43 # whois access to whois.krnic.net ExitPolicy accept 205.178.188.12:43 # whois access to whois.networksolutions.com ExitPolicy accept 206.51.224.229:43 # whois access to whois.nic.gov ExitPolicy accept 208.77.188.18:43 # whois access to whois.icann.org ExitPolicy accept 208.77.188.87:43 # whois access to whois.iana.org ExitPolicy reject *:43 # nicname whois ###---End of whois exit policy specifications The relationship now between the exit counts for ports 43 and 443 in the last few days since I switched to 0.2.1.15-rc with Nick's patch applied looks like this: 439 Exit to port 43 72052 Exit to port 443 In other words, by restricting just port 43 exits to only the legitimate whois IP addresses, I eliminated at least 70% of *all* exits through my tor node, which suggests to me that the vast, overwhelming majority of exits from the tor network are illegitimate and place a terribly taxing load upon the tor network as a whole. This apparent fact, in turn, suggests that if a) all tor nodes with an explicit exit policy were to restrict port 443 exits to just the legitimate port 43 IP addresses and b) the tor default exit policy did the same, a huge and illegitimate load would be lifted from the tor network overall. If no relays offer exits to port 43 that don't go to the NICs' whois servers, well over half of all tor exits, which are illegitimate and undeserving of service in the first place, will be eliminated (not counting typical port 80 (http) traffic, of course). Because my node's exit policy for port 80 (http) is not wide open, it is hard for me to estimate the relative importance of bogus port 43 requests w.r.t. legitimate port 80 (http) requests. Because of my node's limited port 80 exit policy, I would be *very* interested in seeing exit counts for nodes with unrestricted exit policies for the combination of ports 43, 80, and 443 in order to get a better idea of their relative importances. Nevertheless, the impact of eliminating those exit opportunities can be expected to be quite significant in terms of performance of the network overall, particularly because circuits will not need to be built in the first place for such requests. If even a few relays continue to offer unrestricted exits for port 43, they will get so badly hammered by all the bogus exit requests that they will cease to be important to normal operations of the tor network until such time as they may modify their exit policies to be more in tune with valid use of the tor network, rather than use by some sort of port scanner or whatever junk software is currently consuming so much of the tor network's resources, except to the extent that such non-conforming nodes would be incurring the cost of the circuits to reach them for the exit service. Please note also that changing the default exit policy and most tor node's explicit exit policies to the above specification would not prevent tor exit node operators from adding other legitimate whois servers' IP addresses to their exit policies. Therefore, I encourage all tor exit node operators to make the above described change to the exit policies of their exit nodes. (Feel free to copy and paste.) I further suggest that the default exit policy for tor be modified in all future releases of both the stable and development branches of tor to have the exit policy for port 43 shown above, as modified from time to time as the NICs' whois server addresses may change. Comments are both welcome and encouraged. Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************