[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Tor honeypot
-----BEGIN PGP SIGNED MESSAGE-----
On 10/11/2016 04:17 PM, Flipchan wrote:
> is ofc not connected to the Tor Network.
What is "ofc" ?
What would be advantages of having it disconnected from Tor network? Having the honeypot not listed in the Tor directory servers would only detect scanners or adversaries that identify targets based on port number. If I was an adversary I would just refer to the directory server for listings of Tor routers instead of doing internet wide scans which could take up to a day.
If concerned about "normal Tor traffic" acting as a cover for malicious traffic, then perhaps sort log data through a filter omitting traffic based on following criteria:
1. OMIT traffic to/from known Tor Nodes and their listed ports, WHICH ALSO INCLUDES traffic pattern matching normal Tor traffic.
So what this filter would do is omit traffic between your honeypot node and other Tor nodes, while bringing to attention traffic that is connecting to/from non Tor routers or non Tor related ports or traffic that may be connecting to other Tor routers/ports but with non standard Tor traffic.
So even if an adversary is mass hacking Tor from a Tor router as cover, this would likely pick up traffic that is not matching that of standard Tor traffic.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
PGP Fingerprint: 2BB5 15CD 66E7 4E28 45DC 6494 A5A2 2879 3F06 E832
Bitmessage Address: BM-2cVaTbC8fJ5UDDaBBs4jPQoFNp1PfNhxqU
NOTICE: ALL EMAIL CORRESPONDENCE NOT SIGNED/ENCRYPTED WITH PGP SHOULD BE CONSIDERED POTENTIALLY FORGED, AND NOT PRIVATE.
If this matters to you, use PGP or bitmessage.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to