[tor-talk] Blocking Shadowserver honeypots

Alexander Bernauer alex-tor at copton.net
Fri Mar 18 23:02:10 UTC 2011


Hi

my ISP keeps on getting abuse reports from Shadowserver because of IRC
bots attacking their honepots from my Tor exit node. 

Turns out, the "victim's" IP addresses are registered as belonging to
subdomains of sinkhole.shadowserver.org. 

I don't quite understand how any attacker is trapped by a honepot that
is publicly marked as being one. Furthermore, I don't know how this IRC
bot is able to operate with mail and web ports only as my tor exit node
is dropping everything else. But apparently this keeps on happening.

Am I the only one having this anoying problem?

If no, I wanted to ask how you deal with this?

If yes, I wanted to ask if anybody knows a way to check every outgoing TCP
connection for connecting to *.sinkhole.shadowserver.org and dropping it
if needed.

Additionally, I will try to get in contact with these Shadowserver
cracks to kindly ask them not sending useless and confusing abuse
reports to my ISP. Explaining the issue to the latter unfortunatelly
failed...

best regards

Alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110319/eaa5e191/attachment.pgp>


More information about the tor-talk mailing list