
Someone Is Crawling TorHS Directories: Honeypot - lelf
https://lists.torproject.org/pipermail/tor-talk/2014-September/034751.html
======
danbruc
Here [1] is some research on enumerating hidden services. It would be shocking
to me if no one would regularly enumerate hidden services given how cheap it
may be.

 _We have demonstrated that collecting the descriptors of all Tor hidden
services is possible in approximately 2 days by spending less than USD 100 in
Amazon EC2 resources._

As far as I know this will no longer work because Tor implemented appropriate
changes but there are probably other ways to do it.

[1] [http://www.ieee-
security.org/TC/SP2013/papers/4977a080.pdf](http://www.ieee-
security.org/TC/SP2013/papers/4977a080.pdf)

------
MichaelGG
Why _must_ this be malicious? It could be a researcher, or someone interested
in building a hidden service index, etc.

~~~
baddox
> To know about such TorHS address the attacker must be running a malicious
> Tor Relay acting as a TorHS Directory, with Tor's code modified to dump from
> the RAM memory the TorHS list, then harvest them with an http
> client/script/crawler.

Given that, I think a case could be made that even doing this for research is
acting in bad faith, if not "malicious."

~~~
patzerhacker
Tor hidden services announce their existence to their introduction points. The
fact that they exist is not something Tor tries to hide. What they do try to
hide is the location of these services.

Basically, if you don't want people to know that you're running a service over
Tor then you're relying on a guarantee that isn't there. If you want to hide
your location while announcing that you're running a service then you're
relying on a guarantee that Tor actually claims to provide.

If this is research then given the above how is it "in bad faith" or
"malicious"?

------
yc1010
I had another thought about how the hidden tor sites were found, they were all
using Bitcoin what if they were traced via the ip addresses of transactions
being issued by their servers running bitcoin deamon?

~~~
nikcub
A few darknet markets were exposed using this method some time ago (as well as
other IP leaks, such as email headers).

It is the type of leak that gets picked up by curious researchers within
hours/days of a market launching - not something that would linger for months
and be left for the FBI.

------
wowaname
Old.

~~~
legutierr
Yes, but relevant given recent events:

[https://news.ycombinator.com/item?id=8580131](https://news.ycombinator.com/item?id=8580131)

------
willvarfar
> Setup inetd on port 80 executing a small shell script
> /usr/local/bin/honeypot.sh

Just curious if this was vulnerable to shellshock?

