[tor-talk] Tor honeypot
Griffin Boyce
griffin at cryptolab.net
Wed Oct 12 15:43:44 UTC 2016
Flipchan wrote:
> So something that listens on port 9001 and logs all incoming request
> just to see if there is anything scanning for Tor ports and trying to
> hack them, has this been done? Would be cool to look at the data from
> that if anyone got a link. I cant be able to find something like this
> online:/
Hi there,
One of the cooler projects like this was Roya's active probing
research on the Great Firewall[1]. In her case, she ran a private
bridge (not distributed, only for her research use), connected to the
bridge once from within China, then watched for new connection attempts.
She also ran a packet capture for a day to help find patterns (as,
again, no one's traffic passed through except hers). And it's easy to
run a service on port 9001, do the connection, then remove the service
if you don't want to use tor. =)
There are lots of misc scans going on, which mostly seem to be
curiosity. Whenever an interesting/weird piece of malware comes out
(which opens a rando port), I will occasionally do a scan to see how
many machines may be infected. Funny story: after an NSA backdoor
report came out, I found that millions of devices had that port open via
a scan. After a brief freakout, I investigated further and found that a
popular "smart TV" used the same port. :D All of this to say, of
course, that the follow-up investigating and research matter a lot heh.
~Griffin
[1]
http://www.cs.princeton.edu/~rensafi/projects/active-probing/index.html
--
Accept what you cannot change, and change what you cannot accept.
PGP: 0x03cf4a0ab3c79a63
More information about the tor-talk
mailing list