[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Someone is crawling TorHS Directories: Honeypot

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Someone is crawling TorHS Directories: Honeypot
From: grarpamp <grarpamp@xxxxxxxxx>
Date: Sun, 9 Nov 2014 14:27:08 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 09 Nov 2014 14:27:19 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=yla4LBN6XX74052M+2pWrSXOIVeef2scM+2undP101A=; b=UtnhzE6uTWU79Re3eVQ+QM98cidxRsCKOyHa4Z3gnIZKCjHX2lQcnHdSVtym/AT02+ C+tge0p9P8bddbKz8SpdMAJyDWPZZmqdqhIzwpIfw6UGYwo909gfT9G3rFol4uGE6n+2 Sg6g0fTGfzyQtYgVP8vqkkBucqxajJKN+iEgl0TbP8nr8MJEkcCeYUHv12+qnUvhXNzy X+i8T/CQADKTPgYCxzI5wEJzbZN69vkFBYAZQh2BTP/bCCo00PahoFFD79YzYLDo5HEy OcmXOJmn0sAg717cc/69chB0VvHQRU+2BhYNQVcfXSGhLXEacsUErJzaRjp7l2cMwlgU KtoQ==
In-reply-to: <54134ECB.2080301@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20140911101248.4C48C290C1@scatolo> <54134ECB.2080301@xxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On Fri, Sep 12, 2014 at 3:51 PM, Fabio Pietrosanti (naif)
<lists@xxxxxxxxxxxxxxx> wrote:
> about a month ago i wanted to verify if someone is actively crawling
> TorHS that are inside the memory of Tor HS directories.
>
> So, i've setup a small Tor Hidden Service Honeypot at home with unknown,
> unpublished, non-publicly-linked TorHS, with a relatively simple setup:

> With such setup if someone would connect to my TorHS, it would be for
> sure a malicious user whose primary goal is to harvest TorHS addresses
> for research or intelligence purposes.

> To know about such TorHS address the attacker must be running a
> malicious Tor Relay acting as a TorHS Directory, with Tor's code
> modified to dump from the RAM memory the TorHS list, then harvest them
> with an http client/script/crawler.

> Yesterday i've received my first email from the honeypot, report below.

> It would be nice to extend this concept to proactively detect and
> identify who's running such malicious Tor Relays by logging/mapping
> every HSDir that is selected/rotated for such Tor Hidden Services.

> GET / HTTP/1.1

There are two other honeypot-able events before such TCP
packets are ever even sent over circuit to appear at HS host's
stack via HiddenServicePort VIRTPORT TARGET:
- request for descriptor from HSDir's (you can't see this)
- making HS circuit between client and HS (you can see this nego)
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] insufficient hidden service performance is potential de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]
Next by Author: Re: [tor-talk] Darknets/science vs. GPA/LEA/Law, and playing dirty pool
Previous by thread: [tor-talk] advice to hidden service operators
Next by thread: [tor-talk] Problems buying VPS with tor
Index(es):
- Author
- Thread