Scroogle & Tor

[Daniel Brandt]

Scroogle's six servers have been under an around-the-clock flooding
that is coming through Tor. Until today, this has been going on for
eight days without any let-up.

They came into Scroogle in the form of one of three GET requests
for a search. They use DNS lookups of www.scroogle.org because
they hit only our servers that were currently in our DNS. Curiously,
they also picked up our favicon.ico consistently, which in restrospect
seems to suggest a misconfigured machine. Anyway, it slowed to a crawl
about ten hours ago.

The three search terms requested are easy to catch:

1)  damian+conway+perl
2)  osman+semerci+-fired
3)  issam+fares+-kanaan

We lifted our Tor blocks about an hour ago. Only a few per hour are
coming through by now, which we are handling directly based on the
search terms instead of trying to block all Tor exit nodes.

Originally we thought that someone was using Scroogle to scan for
possible Tor exit nodes. We chose to use null-route blocking to
defeat this, because a "Forbidden" would merely confirm that the
circuit found its intended destination.

Then we thought that whoever is doing this is anti-Tor as much as
anti-Scroogle, and that it was an attempted denial of service.

Now we think it was an out-of-control machine and that it was
turned off earlier today.

-- Daniel Brandt