On 09/04/2013 11:11 PM, Martijn Grooten wrote: > On Wed, 4 Sep 2013, mirimir wrote: >> Also, if this were a botnet, I would expect it to show up in honeypots. >> Wouldn't its bots be easily detected, through searching for Tor >> connections? > > That depends on what the botnet is doing. > > If it were using Tor to connect to some service on the public Internet, > either for C&C communication, or to do something via Tor (like using Tor > to leave comment spam), it would sooner or later end up in honeypots. > I'm pretty sure it would have been discovered by now. > > But Tor could also be used for communication with a control server on a > hidden service, which would be a lot harder to detect by honeypots.
China seems to know how to detect Tor traffic. Are their methods public knowledge? > Botnets have used this before - it could be that nodes in an existing > botnet are gradually being updated to a newer version that uses Tor. It > could also be a completely new botnet, that is infecting machines at a > fairly high rate. Growing a botnet with 2-4 million bots in a couple of weeks seems impressive. Or am I just naive? Are there many botnets that size these days? > Another possibility is a botnet, or perhaps just a piece of software, > that is broken and thus causing a lot of unintended Tor traffic. Could a smaller group of Tor clients be doing something that would get them counted multiple times in Tor stats? Would frequently changing IP address do it? > Or, as has been suggested, it could be a DDoS attack. Perhaps a DDoS > attack on Tor as a whole, or perhaps a DDoS attack on a single (hidden) > service, that, given how Tor works, seriously disrupts the whole network. Are you suggesting that relatively few instances of DDoS software might be sending traffic that Tor interprets as highly numerous clients? > Martijn. -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
