On Fri, Sep 12, 2014 at 3:51 PM, Fabio Pietrosanti (naif) <li...@infosecurity.ch> wrote: > about a month ago i wanted to verify if someone is actively crawling > TorHS that are inside the memory of Tor HS directories. > > So, i've setup a small Tor Hidden Service Honeypot at home with unknown, > unpublished, non-publicly-linked TorHS, with a relatively simple setup:
> With such setup if someone would connect to my TorHS, it would be for > sure a malicious user whose primary goal is to harvest TorHS addresses > for research or intelligence purposes. > To know about such TorHS address the attacker must be running a > malicious Tor Relay acting as a TorHS Directory, with Tor's code > modified to dump from the RAM memory the TorHS list, then harvest them > with an http client/script/crawler. > Yesterday i've received my first email from the honeypot, report below. > It would be nice to extend this concept to proactively detect and > identify who's running such malicious Tor Relays by logging/mapping > every HSDir that is selected/rotated for such Tor Hidden Services. > GET / HTTP/1.1 There are two other honeypot-able events before such TCP packets are ever even sent over circuit to appear at HS host's stack via HiddenServicePort VIRTPORT TARGET: - request for descriptor from HSDir's (you can't see this) - making HS circuit between client and HS (you can see this nego) -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk