[tor-talk] Is this a practical vulnerability?

Fri Oct 19 19:30:20 PDT 2012

On Fri, 2012-10-19 at 17:11 +0200, Eugen Leitl wrote:
> ----- Forwarded message from Anon Mus <my.green.lantern at googlemail.com>
-----
>
> From: Anon Mus <my.green.lantern at googlemail.com>
> Date: Fri, 19 Oct 2012 11:25:34 +0100
> To: tor-talk at lists.torproject.org
> Subject: Re: [tor-talk] Is this a practical vulnerability?
> Reply-To: tor-talk at lists.torproject.org
>
> On 19/10/2012 04:12, Lee Whitney wrote:
> > I was reading a paper on discovering hidden service locations, and
couldn't find any reason it shouldn't work in principle.
> >
> > However being that I'm a Tor novice, I wanted ask here.
> >
> > In a nutshell they propose throwing some modified Tor nodes out there that
modify the protocol enough to track down the location.  It does take some
time, but it doesn't seem like years.
> >
> My experience is that there s already an easy method of identifying Tor
> hidden service nodes and this takes little time to do.
>
> Let me explain why I come to that opinion.
>
> Having  a static IP net connection, I set up a test web site as a Tor
> service on a Tor middleman server. That server had been a middleman server
> for about a year, no problems, no attempts to hack it in all that time.
>
> Within 24hrs of making that Tor hidden service live I could see, in my
> firewall logs, hundreds of repeated attempts trying to hack my server,
> directly from the internet, not via my hidden Tot service. All were
> attempting to access various types of services/permissions which were
> mainly focused on attempting to gain control of a "web page server". All
> attacks were from US based places of higher education (colleges and
> universities), most from establishments where Tor servers were situated
> but not from Tor servers themselves.
>
> Now bearing in mind that I had only EVER requested 1 web page (a blank
> test page - requested about 4 times) from my own Torrified web browser
> (out and back so to speak), and no OTHER (external) page requests were
> EVER received via the Tor hidden service, as shown by its log. Then
> someone must have been able to immediately see the service enter and track
> its source, who then attempted to hack the web server itself and it
> appeared to be a group of about 3 or 4 persons, each trying different
> attack strategy over a 12 hour period. Hundreds of commands were sent,
> many in quick succession as if they were in some sort of script file, but
> some were live, at one point I even watched them live as they were coming
> in as I countered their hack attempts.

This sounds pretty delusional ('as I countered their hack attempts' --
is this guy a TV writer?).

I've had numerous hidden services hosting various different services,
including ssh, http, xmpp, irc, and I've never seen anything like this.

--
Sent from Ubuntu

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]