[tor-talk] blocking sinkholes and honeypots

Jon Tullett jon.tullett at gmail.com
Wed Mar 29 13:35:32 UTC 2017


On 7 March 2017 at 00:56, scar <scar at drigon.com> wrote:
> Jon Tullett wrote on 03/03/2017 10:47 AM:
>>
>> On 28 February 2017 at 06:07, scar <scar at drigon.com> wrote:
>>>
>>> I believe we should encourage
>>> sinkhole/honeypot operators to just block/ignore Tor exit IPs that
>>> connect
>>> to their traps.  what do you all think?
>>
>>
>> Wouldn't that risk giving away the fact that it's a honeypot?
>
>
> Not if the honeypot operators block Tor

What I mean is, if blocking Tor can be correlated as a positive
indicator that a service is a honeypot, it risks making it easier to
spot. Ideally, a honeypot should mimic a real world service as closely
as possible, so I'd be cautious about blocking Tor on honeypots. Might
handle exit node traffic differently, but even that risks giving
something away. I'm just inherently opposed to identifiably different
behaviour in this sort of context. YMMV.

-J


More information about the tor-talk mailing list