[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Exit node stats collection?

On Wed, 4 Sep 2013, mirimir wrote:
Also, if this were a botnet, I would expect it to show up in honeypots.
Wouldn't its bots be easily detected, through searching for Tor

That depends on what the botnet is doing.

If it were using Tor to connect to some service on the public Internet, either for C&C communication, or to do something via Tor (like using Tor to leave comment spam), it would sooner or later end up in honeypots. I'm pretty sure it would have been discovered by now.

But Tor could also be used for communication with a control server on a hidden service, which would be a lot harder to detect by honeypots. Botnets have used this before - it could be that nodes in an existing botnet are gradually being updated to a newer version that uses Tor. It could also be a completely new botnet, that is infecting machines at a fairly high rate.

Another possibility is a botnet, or perhaps just a piece of software, that is broken and thus causing a lot of unintended Tor traffic.

Or, as has been suggested, it could be a DDoS attack. Perhaps a DDoS attack on Tor as a whole, or perhaps a DDoS attack on a single (hidden) service, that, given how Tor works, seriously disrupts the whole network.

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to