[tor-talk] Someone is crawling TorHS Directories: Honeypot

[grarpamp]

On Fri, Sep 12, 2014 at 3:51 PM, Fabio Pietrosanti (naif)
<lists at infosecurity.ch> wrote:
> about a month ago i wanted to verify if someone is actively crawling
> TorHS that are inside the memory of Tor HS directories.
>
> So, i've setup a small Tor Hidden Service Honeypot at home with unknown,
> unpublished, non-publicly-linked TorHS, with a relatively simple setup:

> With such setup if someone would connect to my TorHS, it would be for
> sure a malicious user whose primary goal is to harvest TorHS addresses
> for research or intelligence purposes.

> To know about such TorHS address the attacker must be running a
> malicious Tor Relay acting as a TorHS Directory, with Tor's code
> modified to dump from the RAM memory the TorHS list, then harvest them
> with an http client/script/crawler.

> Yesterday i've received my first email from the honeypot, report below.

> It would be nice to extend this concept to proactively detect and
> identify who's running such malicious Tor Relays by logging/mapping
> every HSDir that is selected/rotated for such Tor Hidden Services.

> GET / HTTP/1.1

There are two other honeypot-able events before such TCP
packets are ever even sent over circuit to appear at HS host's
stack via HiddenServicePort VIRTPORT TARGET:
- request for descriptor from HSDir's (you can't see this)
- making HS circuit between client and HS (you can see this nego)