[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] blocking sinkholes and honeypots

On 7 March 2017 at 00:56, scar <scar@xxxxxxxxxx> wrote:
> Jon Tullett wrote on 03/03/2017 10:47 AM:
>> On 28 February 2017 at 06:07, scar <scar@xxxxxxxxxx> wrote:
>>> I believe we should encourage
>>> sinkhole/honeypot operators to just block/ignore Tor exit IPs that
>>> connect
>>> to their traps.  what do you all think?
>> Wouldn't that risk giving away the fact that it's a honeypot?
> Not if the honeypot operators block Tor

What I mean is, if blocking Tor can be correlated as a positive
indicator that a service is a honeypot, it risks making it easier to
spot. Ideally, a honeypot should mimic a real world service as closely
as possible, so I'd be cautious about blocking Tor on honeypots. Might
handle exit node traffic differently, but even that risks giving
something away. I'm just inherently opposed to identifiably different
behaviour in this sort of context. YMMV.

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to