[tor-talk] Exit node stats collection?

mirimir mirimir at riseup.net
Wed Sep 4 23:45:54 UTC 2013


On 09/04/2013 11:11 PM, Martijn Grooten wrote:

> On Wed, 4 Sep 2013, mirimir wrote:
>> Also, if this were a botnet, I would expect it to show up in honeypots.
>> Wouldn't its bots be easily detected, through searching for Tor
>> connections?
> 
> That depends on what the botnet is doing.
> 
> If it were using Tor to connect to some service on the public Internet,
> either for C&C communication, or to do something via Tor (like using Tor
> to leave comment spam), it would sooner or later end up in honeypots.
> I'm pretty sure it would have been discovered by now.
> 
> But Tor could also be used for communication with a control server on a
> hidden service, which would be a lot harder to detect by honeypots.

China seems to know how to detect Tor traffic. Are their methods public
knowledge?

> Botnets have used this before - it could be that nodes in an existing
> botnet are gradually being updated to a newer version that uses Tor. It
> could also be a completely new botnet, that is infecting machines at a
> fairly high rate.

Growing a botnet with 2-4 million bots in a couple of weeks seems
impressive. Or am I just naive?

Are there many botnets that size these days?

> Another possibility is a botnet, or perhaps just a piece of software,
> that is broken and thus causing a lot of unintended Tor traffic.

Could a smaller group of Tor clients be doing something that would get
them counted multiple times in Tor stats? Would frequently changing IP
address do it?

> Or, as has been suggested, it could be a DDoS attack. Perhaps a DDoS
> attack on Tor as a whole, or perhaps a DDoS attack on a single (hidden)
> service, that, given how Tor works, seriously disrupts the whole network.

Are you suggesting that relatively few instances of DDoS software might
be sending traffic that Tor interprets as highly numerous clients?

> Martijn.



More information about the tor-talk mailing list