On Fri, 2012-10-19 at 17:11 +0200, Eugen Leitl wrote:
----- Forwarded message from Anon Mus <my.green.lantern@googlemail.com>
From: Anon Mus <my.green.lantern@googlemail.com> Date: Fri, 19 Oct 2012 11:25:34 +0100 To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] Is this a practical vulnerability? Reply-To: tor-talk@lists.torproject.org
On 19/10/2012 04:12, Lee Whitney wrote:
I was reading a paper on discovering hidden service locations, and
couldn't find any reason it shouldn't work in principle.
However being that I'm a Tor novice, I wanted ask here.
In a nutshell they propose throwing some modified Tor nodes out there that
modify the protocol enough to track down the location. It does take some time, but it doesn't seem like years.
My experience is that there s already an easy method of identifying Tor hidden service nodes and this takes little time to do.
Let me explain why I come to that opinion.
Having a static IP net connection, I set up a test web site as a Tor service on a Tor middleman server. That server had been a middleman server for about a year, no problems, no attempts to hack it in all that time.
Within 24hrs of making that Tor hidden service live I could see, in my firewall logs, hundreds of repeated attempts trying to hack my server, directly from the internet, not via my hidden Tot service. All were attempting to access various types of services/permissions which were mainly focused on attempting to gain control of a "web page server". All attacks were from US based places of higher education (colleges and universities), most from establishments where Tor servers were situated but not from Tor servers themselves.
Now bearing in mind that I had only EVER requested 1 web page (a blank test page - requested about 4 times) from my own Torrified web browser (out and back so to speak), and no OTHER (external) page requests were EVER received via the Tor hidden service, as shown by its log. Then someone must have been able to immediately see the service enter and track its source, who then attempted to hack the web server itself and it appeared to be a group of about 3 or 4 persons, each trying different attack strategy over a 12 hour period. Hundreds of commands were sent, many in quick succession as if they were in some sort of script file, but some were live, at one point I even watched them live as they were coming in as I countered their hack attempts.
This sounds pretty delusional ('as I countered their hack attempts' -- is this guy a TV writer?). I've had numerous hidden services hosting various different services, including ssh, http, xmpp, irc, and I've never seen anything like this. -- Sent from Ubuntu [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]