[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Blocking Shadowserver honeypots

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Blocking Shadowserver honeypots
From: Damian Johnson <atagar1@xxxxxxxxx>
Date: Fri, 18 Mar 2011 22:06:57 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 19 Mar 2011 01:07:14 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=jdlNVtjTXV7sY1Id+ffWS1Ae8vCWIMivExCx094135c=; b=K9h9gbi/mgQXwbM8bif7clPrffJPsgArqpXvhFUQ+K7QQklGO8mmLTk1RbVG0yAAZE khoQHd0quCrn/cXTFWetITAiGqCK+1+5uZUfqu31RsDnao6/ec7eiFQzG3CGmfM1R4aq TKdmnmsqjlTQ2tfg7uNWb+2Tj/2pe7o+ELSO4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=WUYvU3a9Kw1UnjJfTNaSnSKX00ZVvfit7Gq3KhXMIbKQXAPEx6op2b1BhjM9p0WqhF rPfzv33wfIE0sEmAKb0zCmncxsJrvU7riPdhpDrY77J8/hdbeQ4JHnuWaDdBR+JCqjw7 e2P+DDtbl3Uvx7MgbjTtzTftn4dDyCvf5B1ek=
In-reply-to: <20110318230210.GA11353@apus>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20110318230210.GA11353@apus>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

Hi Alexander. Thanks for running a relay!

> If yes, I wanted to ask if anybody knows a way to check every outgoing TCP
> connection for connecting to *.sinkhole.shadowserver.org and dropping it
> if needed.

I haven't seen any complaints about this with Amunet. The exit policy
doesn't accept hostnames (nor wildcards in them) so your best bet is
probably to just reject connections to their current honeypots and add
more if you keep getting complaints. Here's what robtex reports for
the sinkhole subdomains:
74-208-15-160.sinkhole.shadowserver.org
74-208-15-97.sinkhole.shadowserver.org
74-208-164-166.sinkhole.shadowserver.org
74-208-164-167.sinkhole.shadowserver.org
74-208-64-145.sinkhole.shadowserver.org
74-208-64-191.sinkhole.shadowserver.org
87-106-24-200.sinkhole.shadowserver.org
87-106-250-34.sinkhole.shadowserver.org

so ExitPolicy reject 74.208.15.160, reject 74.208.15.97, reject
74.208.164.166... etc

Cheers! -Damian

PS. We also have a tor-relays list you might find a bit more helpful
for this sort of question:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays/
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Blocking Shadowserver honeypots
  - From: Alexander Bernauer

References:
- [tor-talk] Blocking Shadowserver honeypots
  - From: Alexander Bernauer

Prev by Author: Re: [tor-talk] some common ground on the gatereloaded topic (fwd)
Next by Author: Re: [tor-talk] Blocking Shadowserver honeypots
Previous by thread: [tor-talk] Blocking Shadowserver honeypots
Next by thread: Re: [tor-talk] Blocking Shadowserver honeypots
Index(es):
- Author
- Thread