[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Hiding the presence of hidden services

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Hiding the presence of hidden services
From: Nam-Shub <nam-shub@xxxxxxxxxx>
Date: Sat, 23 Aug 2014 14:27:37 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 23 Aug 2014 10:28:02 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Is there any good way to hide the presence of hidden services? I know
that if I create a hidden service, at least the HSDir nodes are able
to see the .onion address of that site. So someone could scrape a list
of .onion addresses to portscan and automatically exploit if they have
a 0day. Let's say I wanted to expose an SSH service there. As all
incoming connections come from 127.0.0.1 I cannot use a firewall for
access control, and SSH is very verbose in announcing itself.

Is there any good way to hide the presence of services? Something like
port knocking I guess, but most of those solutions seem to listen to
all traffic using libpcap and that sounds like a big attack surface as
well.

I've seen https://tools.ietf.org/html/draft-kirsch-ietf-tcp-stealth-00
and I think it would be a great solution if/when it gets into the
kernel, but as long as it requires kernel patching it's not really an
option for me.

Alternatively, something that did not hide the listening socket but
was just a very simple wrapper around TCP that checked a MAC on
incoming messages, letting through only those messages that have the
correct MAC but not responding at all to others. Something so simple
that it can be easily audited (unlike OpenSSH). That way scanners
could not tell what was running behind it. Does something like this exist?

- --
Nam-Shub
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT+KTZAAoJEGnYwQctydHVf28P/RpoUskk9q2mqpsaJRHCi47y
mG9pJeidDQnfmaf0qL2EUXdqnTm6UK15X748dqVRSaxjw+7xRCpNj7wtZknKv/Dk
PK91/YlASbkmCzbOvwvKqOpKpVZ8xiu+LSpW/biLnWvgA6fyHKKebmfkR4M93v0e
oopX1x4CDwYyZcsJMzW3K3/5y07yP8uTtIQPwre5nBOi/DPU0BiiTtaX6EB60EvT
BTNkvUitDR1h48ZqebYzqPWXF81A7sq1VnUSdKSQ9NJVxOkfUQRcXq+neQHS9KyH
UpvuAZ8l5Zew6c7gMnHVBszv05orsnoLqmbDIfUhZqyKIEwAi+LmPiQF7mTPJvkn
qLfIx6kGXViTIF6NW47Z2nOixMFrBEaIJrcDmkcdb7ciex9VEdQd9bEPXygzDO+P
urUOEuXuCvjtEar/OsO5TwWzhye2nPHBcjNJde0qaEp3yZ7L2ja2OLVpwy5FCjQN
LR4O43H0J3yzZ4nReF474tMaM84GUaNIQ/gGducy4TJ8A9lDjNFQ7s4GZVyVr5rH
iD8M3KbFD5CdnQv1QEUBaaNJsMIXsILu0k6xOCZhQRdYQuu2izK45RSdtlvc6j78
glkTKpSxVWshq5Ay/TgxQR4I5V1l+EXWvrCA0+e3EefmTMlCXXwagSzL2wyAZBU1
QEAcnGzWFpdIIcVgsDD1
=XMz2
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Hiding the presence of hidden services
  - From: Lunar

Prev by Author: Re: [tor-talk] T-shirt criteria
Next by Author: Re: [tor-talk] (FWD) ISC Update: StoryMaker
Previous by thread: Re: [tor-talk] TOR tried to take a snapshot of my screen
Next by thread: Re: [tor-talk] Hiding the presence of hidden services
Index(es):
- Author
- Thread