-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Bennett wrote: (snip) > What I > found that seemed out of the ordinary was many dozens of connections to my > directory mirror port from 83.103.38.65 (fastweb65.ietnet.net) (snip) > 83.103.38.65 does not appear in my cached-consensus or > cached-descriptors* > files, so these are not simply tunneled directory connections from random > sites getting funneled through one tor server in Italy. > Can anyone tell me whether this is legitimate activity or whether I > should > begin blocking it at my router to encourage it to go away? (snip)
It sounds mighty suspicious, in my opinion. If I recall correctly, directory mirroring is based on HTTP (hence, why it's encouraged to host it on port 80 for "fascist firewalled" folks, if at all possible). Therefore, it would be vulnerable to any "fundamental" attack (i.e., based on the nature of TCP or HTTP) that any Web server would be. Given that the system you mention doesn't seem to be a Tor node, I say that if it's not an attack, then something's pretty weird. I'm no expert, but I say block the offending system. Does anyone else concur? - -- F. Fox Owner of Tor node "kitsune" CompTIA A+, Net+, Security+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHXzJobgkxCAzYBCMRArCRAJ0Xv7oRjoXcnHuETZ7vn6k4IpsaGwCfcJ9t sfTLWKVAzbOMtURdnEswPW0= =F8zz -----END PGP SIGNATURE-----
