Delivery-Date: Sun, 09 Nov 2014 13:47:39 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id C2EAF1E009B;
	Sun,  9 Nov 2014 13:47:37 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id CA8772DDD9;
	Sun,  9 Nov 2014 18:47:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 015E52DCAD
 for <tor-talk@lists.torproject.org>; Sun,  9 Nov 2014 18:47:29 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 9zLM1cdMtjye for <tor-talk@lists.torproject.org>;
 Sun,  9 Nov 2014 18:47:28 +0000 (UTC)
Received: from mail-vc0-x22b.google.com (mail-vc0-x22b.google.com
 [IPv6:2607:f8b0:400c:c03::22b])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id CC82C2D9D4
 for <tor-talk@lists.torproject.org>; Sun,  9 Nov 2014 18:47:28 +0000 (UTC)
Received: by mail-vc0-f171.google.com with SMTP id lf12so3231985vcb.2
 for <tor-talk@lists.torproject.org>; Sun, 09 Nov 2014 10:47:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=GIuDraK7kIdkVW6whOpKFVQvSJhxCgmXtbXHIOGsF40=;
 b=R03670j96J629sDff5EbFJIBKUlo8LgbW16JU/uFegWdaIa9IK5dHkkRnrusO26lE0
 vaWCLXNB1IBmAkDgBMwWix7vCeVKQvhyloIWcEog8yGD+l6ddkrCKsX1qNGXipNWXe9L
 cqhKDRt+4ZeJx9+9lJYyPtqoAZ0JQU4CE+XoqfIs+CH3/fm7WXKiu4Fyq0TJv1Pe3kCX
 znafSi5frAUZb04BPOxKlPoBGj3DlxVu0UGhziwMcmXHqtBJNvXYbTwVoW5GIlQSOzO4
 TzbJFq91oMGNPfwYRxWzbhoNjABYKpAgSZ9Wu+Lgb65bJkRrkptXRmVwaXh6OUp92pa6
 At0g==
MIME-Version: 1.0
X-Received: by 10.52.82.103 with SMTP id h7mr14623254vdy.27.1415558846296;
 Sun, 09 Nov 2014 10:47:26 -0800 (PST)
Received: by 10.221.64.74 with HTTP; Sun, 9 Nov 2014 10:47:26 -0800 (PST)
In-Reply-To: <20141109160835.GC26807@dysnomia.persephoneslair.org>
References: <CAJVRA1Qc_oDPMyiTKKETqqRrWkTK3j8qwi37ELhOk2xVTyvxqg@mail.gmail.com>
 <CAJVRA1SGKkYQ-hk2RiciMAVvG-UR8nX2okmgvb7tD6nyyN9_ZQ@mail.gmail.com>
 <CAJVRA1Smof5HKJAPCEg-CKTErnM8g0BJDTiyv6TpR0B4Mpv_0g@mail.gmail.com>
 <20141109160835.GC26807@dysnomia.persephoneslair.org>
Date: Sun, 9 Nov 2014 13:47:26 -0500
Message-ID: <CAD2Ti2-8muM890pEKRKtE9ffh-vRvcJrgfmG++XF4bdcMZLW+g@mail.gmail.com>
From: grarpamp <grarpamp@gmail.com>
To: tor-talk@lists.torproject.org
Cc: cypherpunks@cpunks.org
Subject: Re: [tor-talk] insufficient hidden service performance is potential
 de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Sun, Nov 9, 2014 at 11:08 AM, Andrea Shepard <andrea@torproject.org> wrote:
> Yes, and that is what it looks like.  The strings 'code', 'old' and 'fail' in
> the URLs seen in nachash's logs were also present as top-level directories on
> his site, and he apparently had a 404 redirect to his index page - so a
> buggy crawler might well produce something like the observed pattern.  Who
> would leave an obviously broken crawler producing nothing of interest like
> that running for such a long time and O(1M) requests, though?  An attack
> designed to look like skiddie bullshit is starting to sound plausible.

> coderman:
> morals of this story:
> - never assume a crash or DoS is innocuous on the Tor network.
> - always get packet captures to diagnose trouble! (not just request logs)
> - "the old tricks, still the best tricks..."

In one of many threads, mine being 'dirty pool', there is forming a
good variety of such morals to live by and areas of action to pursue.
HS operators banding together to compare the above logs is one
of them. You could conceivably throw the logs/pcaps from many
relays and onions into a splunk.onion instance and try to mine some
knowledge out of them that way. Tor is a jointly owned wide area
infrastructure... seems time to apply the traditional net/sec tools
to it and see what's up on your own network.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

