Hi Robert, the design of Tor is such that it is not possible to determine what traffic inside the network is from the malware so you won't be able to block it as a relay, this is the way Tor has to work to ensure privacy. If the malware is exiting to the clearnet then determining which port it is using at the exit node and throttling or even blocking that port might help in the short term. However this is easily overcome by the malware writers. Short answer, as I understand it, is that not a lot can be done as a Tor node operator. There are much smarter people on this list though so I'd like to hear what others say about the matter. :)On Dec 22, 2013 9:21 AM, "Evaldo Gardenal" <evaldo.gardenali@xxxxxxxxx> wrote:
(I'm skipping soft aspects and sticking to engineering here)
Supposing that the whole story consists of a bot that connects through a .onion address to c&c:
-It does not use exit resources
-It is indistinguishable from other traffic (due to the onion design) once inside tor (just like any traffic)
So there's not really much you can do as a single node admin, unless you prove tor broken by inspecting it's traffic :)
EvaldoOn Dec 22, 2013 1:05 AM, "I" <beatthebastards@xxxxxxxxx> wrote:They are two words I didn't think would be together.
Would any pundit tell me if there is anything an exit or relay operator can do about malware using Tor in the news today e.g. Chewbacca (found by Kaspersky) ?
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays