On Wed, Apr 13, 2011 at 04:24:04PM -0700, Porcelain Mouse wrote:
I also sounds like you might be interested in more details. Actually, Geoff guessed correctly. Both shutdowns where a result of separate single events in Shadowserver's reports. The first event was a connection to a known C&C IRC server. After the second shutdown, but before I received the new logs, I figured I would just update my exit rules to reject IRC ports. But, the second event was a single connection to one of Shadowserver's honeypot HTTP servers.
Right. If somebody makes a Tor request to a destination that your ISP commonly associates with an infection, then they'll assume you're infected. They don't much care about subtlety.
The exciting part here is that security researchers actually use Tor to examine these infection destinations, because they need to do that examination anonymously rather than from their university or corporate IP space. I know several groups that are using Tor to spot-check their conclusions about bad guys on the Internet -- the double twist is then that some of the bad guys have started to not infect you if you're coming from a Tor IP address (because they want to hide from the security researchers). So in this sense you're safer on the Internet if you're using Tor. :)
I didn't think there would be any use for an exit that rejected HTTP, too.
Well, exiting to whatever you can exit to is still more valuable than not. More and more stuff is available over port 443 these days, for example.
grarpamp's suggestion was great, too. I thought of running my own IDS between the exit and my gateway, and, in fact, it's already on my list of projects. I'll add Tor to the list of reasons I should put some effort into it.
Moritz - Now that I'm no longer fighting with my provider about exits, perhaps I can spare some time. I don't know what you might need, but I would be happy to help, if I can.
Oh, and speaking of help. I volunteer to update the FAQ, provided that's desirable and the Tor project folks are agreeable. Who should I talk to about that? tor-assistants at torproject.org ?
Sure. Actually, a better approach would be to open a ticket in the 'website' category on our trac: https://trac.torproject.org/projects/tor/newticket
--Roger