[tor-talk] blocking sinkholes and honeypots

scar scar at drigon.com
Tue Feb 28 04:07:11 UTC 2017 

I receive notice quite often (1-2 times/month) from my ISP that they 
'detected malicious software' from my IP, ranging from virus, drones, 
worms, robots, etc.  I am using the 'reduced exit policy' for the node. 
Fortunately i am able to update my exit policy with a reject entry.  in 
hopes it will help other operators in preventing false complaints, below 
i provide the list i have accumulated (over the years, so some entries 
might be outdated).  If anyone has extras to contribute, please do!

But first i wonder if there could be a better solution.  Obviously if 
someone out there is using Tor for malicious purposes, sending 
complaints to the Tor operators isn't going to accomplish anything.  All 
that we can do is block the IPs on an individual basis, but this doesn't 
address anything really...  I feel there is little that could be done on 
either side actually.  It is for this reason that I believe we should 
encourage sinkhole/honeypot operators to just block/ignore Tor exit IPs 
that connect to their traps.  what do you all think?




#Sinkholes
ExitPolicy reject 74.208.164.166:*	# Sinkhole
ExitPolicy reject 84.163.172.250:*	# mebroot destination
ExitPolicy reject 87.106.0.0/16:*	# Sinkholes
ExitPolicy reject 87.255.51.229:*	# bots/Carberp, bots/Artro
ExitPolicy reject 91.20.196.40:*	# mebroot
ExitPolicy reject 104.244.12.0/22:*	# confiker/downadup
ExitPolicy reject 131.253.18.12:*	# Zbot / biggestfunds.com
ExitPolicy reject 143.215.130.33:*	# Sinkhole
ExitPolicy reject 143.215.143.11:*	# Sinkhole
ExitPolicy reject 148.81.111.121:*	# Sinkhole
ExitPolicy reject 149.20.56.0/24:*	# Sinkhole
ExitPolicy reject 178.162.203.202:*	# Sinkhole HTTP Drone Report
ExitPolicy reject 184.105.192.2:*	# Sinkhole HTTP Drone Report
ExitPolicy reject 192.42.116.41:*	# Sinkhole
ExitPolicy reject 193.166.255.171:*	# Sinkhole
ExitPolicy reject 195.197.175.21:*	# Sinkhole
ExitPolicy reject 198.87.3.75:*		# Sinkhole
ExitPolicy reject 199.2.137.0/24:*	# Sinkholes
ExitPolicy reject 204.95.96.0/20:*	# M$ Sinkholes
ExitPolicy reject 204.152.184.139:*	# Sinkhole
ExitPolicy reject 208.100.26.234:*	# Drone Report
ExitPolicy reject 216.218.185.160/29:*	# Shadow Server Sinkholes

More information about the tor-talk mailing list