Re: [tor-relays] HoneyPot?

[Green Dream]

Mirimir: aside from the nickname, do you have any reason to believe it was
out of the ordinary? The exit policy mostly only seems to allow
non-encrypted services (80 but not 443, 143

On Thu, Oct 29, 2015 at 1:22 PM, Mirimir  wrote:

> Anyone know what HoneyPot was/is?
>
>
> https://atlas.torproject.org/#details/F77FD005BF74CD0B4C611389C3006452AEC60CA3
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Mike Perry]

Green Dream:
> Mirimir: aside from the nickname, do you have any reason to believe it was
> out of the ordinary? The exit policy mostly only seems to allow
> non-encrypted services (80 but not 443, 143

A while ago we were actively marking nodes that only allowed
non-encrypted services as BadExit, since there were no satisfactory
explanations given as to why nodes should need this policy.

Back then, the most common explanation people gave was "I need the
ability to block traffic that looks evil." Unfortunately, all mechanisms
available to do this will also end up blocking legitimate content at
some rate. Nobody was using anything more advanced than snort-style
regular expressions that matched things that happened to look like
exploits.

FWIW, I am personally in favor of reinstating such a policy. I doubt the
situation has changed.

-- 
Mike Perry


signature.asc
Description: Digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Green Dream]

(Oops, sorry, an errant keyboard shortcut sent the email too early.)

Mirimir: aside from the nickname, do you have any reason to believe it was
out of the ordinary? The exit policy mostly only seems to allow
non-encrypted services (80 but not 443, 143 but not 993), but that alone
isn't enough to give it the BadExit flag:

https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays#Whatisabadrelay
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Mirimir]

On 10/29/2015 03:05 PM, Mike Perry wrote:
> Green Dream:
>> Mirimir: aside from the nickname, do you have any reason to believe it was
>> out of the ordinary? The exit policy mostly only seems to allow
>> non-encrypted services (80 but not 443, 143
> 
> A while ago we were actively marking nodes that only allowed
> non-encrypted services as BadExit, since there were no satisfactory
> explanations given as to why nodes should need this policy.
> 
> Back then, the most common explanation people gave was "I need the
> ability to block traffic that looks evil." Unfortunately, all mechanisms
> available to do this will also end up blocking legitimate content at
> some rate. Nobody was using anything more advanced than snort-style
> regular expressions that matched things that happened to look like
> exploits.
> 
> FWIW, I am personally in favor of reinstating such a policy. I doubt the
> situation has changed.

I concur. Peeking at exit traffic violates Tor integrity, no?
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Nchinda Nchinda]

Probably someone being cute in their naming scheme.

Nchinda^2, -0.1743*kg^6 m^4 mol s^-14, @firescar96


On Thu, Oct 29, 2015 at 4:22 PM, Mirimir  wrote:

> Anyone know what HoneyPot was/is?
>
>
> https://atlas.torproject.org/#details/F77FD005BF74CD0B4C611389C3006452AEC60CA3
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Mirimir]

On 10/29/2015 02:42 PM, Green Dream wrote:
> (Oops, sorry, an errant keyboard shortcut sent the email too early.)
> 
> Mirimir: aside from the nickname, do you have any reason to believe it was
> out of the ordinary? The exit policy mostly only seems to allow
> non-encrypted services (80 but not 443, 143 but not 993), but that alone
> isn't enough to give it the BadExit flag:
> 
> https://trac.torproject.org/projects/tor/wiki/doc/ReportingBadRelays#Whatisabadrelay

I had no reason to wonder about it, except for the name. But the fact
that it only seems to allow non-encrypted services is suspicious.

I'm guessing that it is or was part of some research project that
involves traffic interception.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Dhalgren Tor]

Is the end of the month.  Maybe they ran out of bandwidth and will be
back 11/1.  LeaseWeb over-limit rates are terrifying.

BTW the exit policy includes 443.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Green Dream]

> BTW the exit policy includes 443.

My mistake. I didn't realize the policy view on Atlas is truncated.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[AMuse]

 

Given the current state of the internet (ie, massive warrantless spying
by LEO's and packet inspection by ISP's) I cannot imagine how any TOR
operator would block encrypted services and not be what most reasonable
people consider a "Bad exit". 

On 2015-10-29 14:05, Mike Perry wrote: 

> Green Dream:
> 
>> Mirimir: aside from the nickname, do you have any reason to believe it was 
>> out of the ordinary? The exit policy mostly only seems to allow 
>> non-encrypted services (80 but not 443, 143
> 
> A while ago we were actively marking nodes that only allowed
> non-encrypted services as BadExit, since there were no satisfactory
> explanations given as to why nodes should need this policy.
> 
> Back then, the most common explanation people gave was "I need the
> ability to block traffic that looks evil." Unfortunately, all mechanisms
> available to do this will also end up blocking legitimate content at
> some rate. Nobody was using anything more advanced than snort-style
> regular expressions that matched things that happened to look like
> exploits.
> 
> FWIW, I am personally in favor of reinstating such a policy. I doubt the
> situation has changed.
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays [1]

 

Links:
--
[1] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Green Dream]

> I cannot imagine how any TOR operator would block encrypted services
> and not be what most reasonable people consider a "Bad exit".


It turns out this "HoneyPot" node is NOT blocking encrypted services. They
allow ports 443, 993, and other encrypted services. Unfortunately that line
of the exit policy isn't displayed on Atlas. You can see the full policy on
Globe:

https://globe.torproject.org/#/relay/F77FD005BF74CD0B4C611389C3006452AEC60CA3
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Mirimir]

On 10/29/2015 05:20 PM, Green Dream wrote:
>> I cannot imagine how any TOR operator would block encrypted services
>> and not be what most reasonable people consider a "Bad exit".
> 
> 
> It turns out this "HoneyPot" node is NOT blocking encrypted services. They
> allow ports 443, 993, and other encrypted services. Unfortunately that line
> of the exit policy isn't displayed on Atlas. You can see the full policy on
> Globe:
> 
> https://globe.torproject.org/#/relay/F77FD005BF74CD0B4C611389C3006452AEC60CA3

Why does Atlas drop stuff?

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Roger Dingledine]

On Thu, Oct 29, 2015 at 05:25:31PM -0600, Mirimir wrote:
> On 10/29/2015 05:20 PM, Green Dream wrote:
> >  Unfortunately that line
> > of the exit policy isn't displayed on Atlas. You can see the full policy on
> > Globe:
> > 
> > https://globe.torproject.org/#/relay/F77FD005BF74CD0B4C611389C3006452AEC60CA3
> 
> Why does Atlas drop stuff?

Hm? I can see the exit policy just fine on Atlas. You need to
scroll down in the "IPv4 Exit Policy Summary" table.

https://atlas.torproject.org/#details/F77FD005BF74CD0B4C611389C3006452AEC60CA3

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] HoneyPot?

[Mirimir]

On 10/29/2015 09:18 PM, Roger Dingledine wrote:
> On Thu, Oct 29, 2015 at 05:25:31PM -0600, Mirimir wrote:
>> On 10/29/2015 05:20 PM, Green Dream wrote:
>>>  Unfortunately that line
>>> of the exit policy isn't displayed on Atlas. You can see the full policy on
>>> Globe:
>>>
>>> https://globe.torproject.org/#/relay/F77FD005BF74CD0B4C611389C3006452AEC60CA3
>>
>> Why does Atlas drop stuff?
> 
> Hm? I can see the exit policy just fine on Atlas. You need to
> scroll down in the "IPv4 Exit Policy Summary" table.
> 
> https://atlas.torproject.org/#details/F77FD005BF74CD0B4C611389C3006452AEC60CA3
> 
> --Roger

Doh. Thanks :)
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays