[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor a carrier for Botnet traffic?

On Tue, Sep 01, 2009 at 04:20:42PM +0200, Folkert van Heusden wrote:
> Hi,
> The Tor anonimity network is a generic carrier for all kinds of (TCP)
> traffic. Its goal is enabling people to use the internet without anyone
> between them and the destination point being able to determine what is
> happening. It also allows you to offer services without anyone being
> able to trace back these services to you.
> Now botnets need to communicate with a central instance which lets them
> know what to do (e.g. send spam, ddos websites, etc.). Tor is an ideal
> carrier for this: no outsider can see what kind of traffic comes out of
> a system running such a bot and no-one is able to see whereto this
> traffic goes. So you can't stop the traffic between the bot and its
> master without blocking the whole Tor network and it is kind of hard as
> well to find where all this traffic goes to (the botnet master node).
> So; what should we do? Dis-allow hidden services in Tor? Or block Tor
> totally?

There is quite a bit of overhead incurred running a tor client,
which is not desirable for a typical parasitic bot infection.
Also, the Tor client doesnt try to hide itself on the system
so some modifications to the code would be required.
Botnet owners can get lower latency and higher throughput 
just continuing to infect unsecured boxes.  Regarding DDoS see

Until some security forensics people document that Tor is being used
in real botnets, i don't think new policies restricting Tor usage 
are called for.