[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: following on from today's discussion

To: or-talk@xxxxxxxxxxxxx
Subject: Re: following on from today's discussion
From: Mike Perry <mikepery@xxxxxxxxxx>
Date: Mon, 21 Aug 2006 13:18:29 -0500
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Mon, 21 Aug 2006 14:18:29 -0400
In-reply-to: <44E94F6A.901@owca.info>
References: <200608182214.29398.robert@roberthogan.net> <20060818214703.GB3008@moria.seul.org> <20060818224718.GC3008@moria.seul.org> <20060819001958.GB17299@fscked.org> <44E6B0C5.2040905@owca.info> <20060820020402.GC10720@fscked.org> <44E94F6A.901@owca.info>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.1i

Thus spake Matej Kovacic (matej.kovacic@xxxxxxxxx):

> Hi,
> 
> > A handful of hosts could run this thing and publish their results,
> > perhaps along with some other manually created list of undesirable
> > exits.
> 
> Great, that could be an interesting research. However, if someone is
> doing this (injection/modifying) not all the time, it would be harder to
> detect him.

Yeah, thats why we need a few people running it continuously over a
long period of time. It serves as a deterrent that the network
is actually monitoring for this behavior, since nodes doing
this will eventually be noticed.

Though for botnet operators who presumably are able to sign up their
botnet hosts as tor nodes anonymously via their own relay network,
they may not care if the individual nodes are caught or not.. Scary
thought.

I've managed to keep myself sufficiently insulated from shiny things,
and have finished a script that uses Tor to md5sum a list of URLs and
also track the SSL certs of a list of https hosts. This script saves
corrupted files, so if we catch infected exes, it's possible we can
use these samples to go after botnet command and control. That ability
may also be a sufficient deterrent to keep teh snakes off teh Tor.

I also have a seperate script that parses the Tor directory and choses
nodes based on exit port policy and bandwidth. I'm working to make
this one operate with the tor control port to actually build and
attach circuits and inform the first script which exit node it is
choosing via a named pipe. This way we can experiment with different
strategies for choosing exit nodes to scan, short path lengths, and so
on easily.

I'd guestimate about 2 days before I have a prototype that works
fully with a fixed list of URLs. Possibly end of next weekend before I
have something that picks docs & exes randomly off google.


P.S. Does anyone know a clean way to do line-buffered select()able
socket IO via perl? From looking at IO::Socket it seems like the
timeout is only used for accept/connect... I may have to restort to
multithreaded perl.. *shudder*.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

References:
- following on from today's discussion
  - From: Robert Hogan
- Re: following on from today's discussion
  - From: Roger Dingledine
- Re: following on from today's discussion
  - From: Roger Dingledine
- Re: following on from today's discussion
  - From: Mike Perry
- Re: following on from today's discussion
  - From: Matej Kovacic
- Re: following on from today's discussion
  - From: Mike Perry
- Re: following on from today's discussion
  - From: Matej Kovacic

Prev by Author: Re: tor trying to pop mail from random IPs on win32
Next by Author: Snakes On A Tor
Previous by thread: Re: following on from today's discussion
Next by thread: Re: following on from today's discussion
Index(es):
- Author
- Thread