[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Blocking Shadowserver honeypots



Hi

my ISP keeps on getting abuse reports from Shadowserver because of IRC
bots attacking their honepots from my Tor exit node. 

Turns out, the "victim's" IP addresses are registered as belonging to
subdomains of sinkhole.shadowserver.org. 

I don't quite understand how any attacker is trapped by a honepot that
is publicly marked as being one. Furthermore, I don't know how this IRC
bot is able to operate with mail and web ports only as my tor exit node
is dropping everything else. But apparently this keeps on happening.

Am I the only one having this anoying problem?

If no, I wanted to ask how you deal with this?

If yes, I wanted to ask if anybody knows a way to check every outgoing TCP
connection for connecting to *.sinkhole.shadowserver.org and dropping it
if needed.

Additionally, I will try to get in contact with these Shadowserver
cracks to kindly ask them not sending useless and confusing abuse
reports to my ISP. Explaining the issue to the latter unfortunatelly
failed...

best regards

Alex

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk