[tor-talk] Blocking Shadowserver honeypots

Damian Johnson atagar1 at gmail.com
Sat Mar 19 05:06:57 UTC 2011


Hi Alexander. Thanks for running a relay!

> If yes, I wanted to ask if anybody knows a way to check every outgoing TCP
> connection for connecting to *.sinkhole.shadowserver.org and dropping it
> if needed.

I haven't seen any complaints about this with Amunet. The exit policy
doesn't accept hostnames (nor wildcards in them) so your best bet is
probably to just reject connections to their current honeypots and add
more if you keep getting complaints. Here's what robtex reports for
the sinkhole subdomains:
74-208-15-160.sinkhole.shadowserver.org
74-208-15-97.sinkhole.shadowserver.org
74-208-164-166.sinkhole.shadowserver.org
74-208-164-167.sinkhole.shadowserver.org
74-208-64-145.sinkhole.shadowserver.org
74-208-64-191.sinkhole.shadowserver.org
87-106-24-200.sinkhole.shadowserver.org
87-106-250-34.sinkhole.shadowserver.org

so ExitPolicy reject 74.208.15.160, reject 74.208.15.97, reject
74.208.164.166... etc

Cheers! -Damian

PS. We also have a tor-relays list you might find a bit more helpful
for this sort of question:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays/


More information about the tor-talk mailing list