Delivery-Date: Thu, 09 Jul 2015 05:58:22 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 134F01E041B;
	Thu,  9 Jul 2015 05:58:21 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 25B89363CF;
	Thu,  9 Jul 2015 09:58:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 1ACB936256
 for <tor-talk@lists.torproject.org>; Thu,  9 Jul 2015 09:58:12 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id qeHqAO7dmqDx for <tor-talk@lists.torproject.org>;
 Thu,  9 Jul 2015 09:58:12 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id D0A7336183
 for <tor-talk@lists.torproject.org>; Thu,  9 Jul 2015 09:58:11 +0000 (UTC)
Received: from berryeater.riseup.net (berryeater-pn.riseup.net [10.0.1.120])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.riseup.net (Postfix) with ESMTPS id BE3334039B
 for <tor-talk@lists.torproject.org>; Thu,  9 Jul 2015 09:58:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1436435888; bh=f4EdUr2bZJQxt/w4pQhREhcAdAKST1PXJK2Kh5h7W4o=;
 h=Subject:To:References:From:Date:In-Reply-To:From;
 b=ayF5BnSst8AM8gUoiDgrLZT8cNLWH+pmIySvbkJiIBP3UjdWeiIomn9JycexsPpLo
 iTawZu4jPyYJWQVaZwKOSLn9Ff6hwrZ/iXU/KRGiQJZWOuDDwdzEJNFc63+93tjdt/
 mNT9sfaoAEOELnfYuQkhH1+ONY6LHPVPKLMcgjY8=
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: thomaswhite) with ESMTPSA id 247AD40E54
To: tor-talk@lists.torproject.org
References: <559D745D.1040601@riseup.net>
 <20150708211018-728-69593-mailpile@mailpile-home>
 <559E10D2.7020205@copper.net>
From: Thomas White <thomaswhite@riseup.net>
X-Enigmail-Draft-Status: N1110
Message-ID: <559E45AB.4070002@riseup.net>
Date: Thu, 9 Jul 2015 10:58:03 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <559E10D2.7020205@copper.net>
X-Virus-Scanned: clamav-milter 0.98.7 at mx1
X-Virus-Status: Clean
Subject: Re: [tor-talk] OnionBalance Hidden Service has over 1 million
 successful hits in just 3 days
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

304 is people visiting using the Tor browser where the data is cached,
304 just lets it know the cache data is still valid instead of
redownloading.

404 look like they might be either scanners or some cases, and in
other just look like random attempts to find pages. Here is an exampe:

127.0.0.1 - - [redacted redacted] "GET /id=123 HTTP/1.1" 404 432 "-"
"Mozilla/5.0 (Windows NT 6.1; rv: 31.0) Geck0/20100101 Firefox/31.0
(Tor Browser Bundle)"

Here is a 403 attempt to get the mod_status module in apache installs.

127.0.0.1 - - [redacted redacted] "GET /server-status HTTP/1.1" 403
402 "-" "-"

So afaik just people crawling to find details on the site or looking
if we have some vulnerability.

T



On 09/07/2015 07:12, Jim wrote:
> Ben wrote:
>> I forgot to tell it to add a timestamp, so comparison against 
>> your logs would be nigh on impossible - have set the same script 
>> running with timestamps added, will keep an eye to see whether 
>> any failed connections have been logged.
>> 
>> I do, however, have some entries in my tor client logs
>> 
>> Jul 08 09:03:55.000 [notice] Rend stream is 120 seconds late. 
>> Giving up on address '[scrubbed].onion'.
> 
> For various reasons I have only been able to make a few 
> connections, but they have been more than 10 minutes apart so, as
> I understand it, they should all have established new circuits.
> This was scripted using wget. I have had over 40 successes with
> one failure, logged as follows (I have adjusted the time to UTC):
> 
> Jul  9 05:10:23 host Tor[15947]: Tried for 120 seconds to get a 
> connection to [scrubbed]:80. Giving up. (waiting for rendezvous 
> desc)
> 
> Following this failure I have had some successes. (Initially I 
> thought maybe the test site had been shut down.)
> 
> Also, Thomas, I am wondering if you can explain what the 304 (Not 
> Modified), 404 (Not Found), and 403 (Forbidden) codes were caused 
> by.  I suppose for 404 somebody could have requested a
> non-existent page on the site, but the other two have me baffled.
> 
> Jim
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVnkWqAAoJEIC+hZxcLl/kXC4P/jCDJwbFkqY3qqwklL9wK2bE
C/8/Il2z9F8LjYTYT4/nf8EbMH2QnAq1p3umCYzAgAXXIa7i4l5/uiXDjjE1ktlj
XPH/7llQeabrU6jToQ0wgEKGjBEM22wrWSSpxYiDz8KQVrT6tpD69CjiZ/sVVqyW
N/Djit0SfoUkPHEuobfaw2ql5CQ5c2tivK9vBHG5brnovQd3Lf+DGWvcQhyS8Qw/
5iq/1JK3/+RGO1/dsN35QSsQJOvZ8v2BiPheGQo/THCa0+ttGk1tGgBM+147sd67
SmXlmU8O9KbjNMeqgJ0+/nc+q34lOzcaNPCCusJ1U+K/zCrwdOuHlQ1OAqb+jWsE
hNsc+BlOYSP+OOwyUJ9A620gnoFhzMlbVzirOkavtVNu/Ya61Q7GL29SkmsPxPFI
6NATySf4CQRL4U6LbqKS4HZu2B5gFRbKH9DW55nszgkOJiFFrQ9HWODXSjn7sxzi
Y9CYMElC0ubH77vHhcb+GQ8/dEiwiQjI/Tia5erkBDq5rMQ+I7w3qeDeNT/8cr4d
ol5VHytnMj4i5xC8adw7AHvisNjlrF/nsOKr7HRXJxvoO7b1FLFSWlVcngvMoPig
IWG0jIIuj2J6RAsdtybZApVyw7BuuoxBpqMAv4LBgc+Hz8MTB3GLPOObE9+Rjjab
HsdWUrtt24fXW2MKSon3
=Lli0
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

