[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor honeypot

Flipchan wrote:
 So something that listens on port 9001 and logs all incoming request
just to see if there is anything scanning for Tor ports and trying to
hack them, has this been done? Would be cool to look at the data from
that if anyone got a link. I cant be able to find something like this

Hi there,

One of the cooler projects like this was Roya's active probing research on the Great Firewall[1]. In her case, she ran a private bridge (not distributed, only for her research use), connected to the bridge once from within China, then watched for new connection attempts. She also ran a packet capture for a day to help find patterns (as, again, no one's traffic passed through except hers). And it's easy to run a service on port 9001, do the connection, then remove the service if you don't want to use tor. =)

There are lots of misc scans going on, which mostly seem to be curiosity. Whenever an interesting/weird piece of malware comes out (which opens a rando port), I will occasionally do a scan to see how many machines may be infected. Funny story: after an NSA backdoor report came out, I found that millions of devices had that port open via a scan. After a brief freakout, I investigated further and found that a popular "smart TV" used the same port. :D All of this to say, of course, that the follow-up investigating and research matter a lot heh.


[1] http://www.cs.princeton.edu/~rensafi/projects/active-probing/index.html

Accept what you cannot change, and change what you cannot accept.
PGP: 0x03cf4a0ab3c79a63
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to