[tor-talk] Exit node stats collection?

Martijn Grooten tor at lapsedordinary.net
Wed Sep 4 23:11:23 UTC 2013


On Wed, 4 Sep 2013, mirimir wrote:
> Also, if this were a botnet, I would expect it to show up in honeypots.
> Wouldn't its bots be easily detected, through searching for Tor
> connections?

That depends on what the botnet is doing.

If it were using Tor to connect to some service on the public Internet, 
either for C&C communication, or to do something via Tor (like using Tor 
to leave comment spam), it would sooner or later end up in honeypots. I'm 
pretty sure it would have been discovered by now.

But Tor could also be used for communication with a control server on a 
hidden service, which would be a lot harder to detect by honeypots. 
Botnets have used this before - it could be that nodes in an existing 
botnet are gradually being updated to a newer version that uses Tor. It 
could also be a completely new botnet, that is infecting machines at a 
fairly high rate.

Another possibility is a botnet, or perhaps just a piece of software, 
that is broken and thus causing a lot of unintended Tor traffic.

Or, as has been suggested, it could be a DDoS attack. Perhaps a DDoS 
attack on Tor as a whole, or perhaps a DDoS attack on a single (hidden) 
service, that, given how Tor works, seriously disrupts the whole network.

Martijn.


More information about the tor-talk mailing list