Delivery-Date: Fri, 12 Sep 2014 22:10:32 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 939A91E0CDB;
	Fri, 12 Sep 2014 22:10:31 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id A60E13022D;
	Sat, 13 Sep 2014 02:10:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id A3F263032C
 for <tor-talk@lists.torproject.org>; Sat, 13 Sep 2014 02:10:16 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id V75-k0dD8XQw for <tor-talk@lists.torproject.org>;
 Sat, 13 Sep 2014 02:10:16 +0000 (UTC)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com
 [IPv6:2a00:1450:4010:c04::229])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 5016A30298
 for <tor-talk@lists.torproject.org>; Sat, 13 Sep 2014 02:10:16 +0000 (UTC)
Received: by mail-lb0-f169.google.com with SMTP id p9so1900496lbv.28
 for <tor-talk@lists.torproject.org>; Fri, 12 Sep 2014 19:10:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=w3YD71RDI3Uyi/Md2UoMrNAocS9lg3AFuTsf9cQHkYE=;
 b=kePMBFmmCCyRViViwYxh39Nz67G5ONGAa3OF7lpPRlVJWb0DgIIApNsp2RwacXdK5R
 Jvi5r8O6iy0d3Hz/BedpBDDRd8wMwoTe0U6AjsE+VIAz+RioVjAsovfVDFVJVVDCbimd
 ve9q7RE3zNiycFQfSCDW9+NzmCQ/feeaQgPVi3c9Loe3UXfvKLq9phRW/5yIBYqiTLDa
 SRbSgt2Yl4EAtfinpqxap9AVpZXRhDTld7ymoZ+smv92x901k9BlJRwIbaYZy7nJCisu
 lPk5cPRyX5od+vyz68X7tc6XsH0aTyBO9l6GMod8+G5kt9EMsXTiLMQpJzVnkhdm/jec
 r61Q==
MIME-Version: 1.0
X-Received: by 10.112.24.104 with SMTP id t8mr12409713lbf.46.1410574212947;
 Fri, 12 Sep 2014 19:10:12 -0700 (PDT)
Received: by 10.112.90.38 with HTTP; Fri, 12 Sep 2014 19:10:12 -0700 (PDT)
In-Reply-To: <54134ECB.2080301@infosecurity.ch>
References: <20140911101248.4C48C290C1@scatolo>
 <54134ECB.2080301@infosecurity.ch>
Date: Fri, 12 Sep 2014 19:10:12 -0700
Message-ID: <CAJVRA1TrTZHbdopJs8GS94oE04=6si=5Anx=94aMGGXYBYr_NQ@mail.gmail.com>
From: coderman <coderman@gmail.com>
To: tor-talk@lists.torproject.org, lists@infosecurity.ch
Subject: Re: [tor-talk] Someone is crawling TorHS Directories: Honeypot
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 9/12/14, Fabio Pietrosanti (naif) <lists@infosecurity.ch> wrote:
> ...
> about a month ago i wanted to verify if someone is actively crawling
> TorHS that are inside the memory of Tor HS directories.
>
> So, i've setup a small Tor Hidden Service Honeypot at home with unknown,
> unpublished, non-publicly-linked TorHS,

fun; this appears to be an intermittent pastime of some for near a decade now...

i would call these honeytokens, however, as it is the name you are
concerned about, not the services running at that onion. e.g. "...
configured honeytoken hidden service addresses known only to myself
and the chosen HSDir for that address." </pedant>


> ...
> It would be nice to extend this concept to proactively detect and
> identify who's running such malicious Tor Relays by logging/mapping
> every HSDir that is selected/rotated for such Tor Hidden Services.

you shouldn't assume HSDir is private in any case; and if enumeration
is truly a concern, fast flux onions is a thing.  these are location
hidden, not existence hidden :)

best regards,
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

