eyedeekay
Tor's POW implementation is reminiscent of something in our tunnel build specification
eyedeekay
Could be combined with congestion caps as a tunnel spam defense maybe
dr|z3d
> Sure, or we could just get better at profiling tunnels that aren't doing anything useful.
dr|z3d
Their POW implementation is a direct response to onion services and onion guards being DDoSed. We don't yet have that issue.
eyedeekay
Guess I could be putting the cart before the horse there
RN
isnt that just proactive vs reactive?
dr|z3d
we're already proactive. we have decent throttle controls for services.
dr|z3d
if anything, eyedeekay, we could look at improving the tunnel filtering and throttle controls.
eyedeekay
On one level maybe but there is the argument that if we do it too early when there's not an attack to test it against we create more problems than we solve, I can see both sides
dr|z3d
the tunnel filtering could be extended to auto-block dests requesting prohibited urls, where the user supplies a list of urls they want blocked.
dr|z3d
would need to happen in the http server tunnel code, not the tunnel filter, but still, I think it's a good idea to provide out of the box features like this with a default blocklist given the prevalence of exploit scanners on the network.
obscuratus
Lets set it up so that the device makes an applause sound everytime we ban a hash, and a cheering-crowd sound when we ban a whole IP.
obscuratus
Satisfaction!
dr|z3d
eyedeekay: do you want to thump him or shall I? :)
eyedeekay
That implies a way to identify the exploit scanners and distribute the blocklists
obscuratus
It'll give our users a pleasing endorphin rush, and give them a sense of accomplishment.
eyedeekay
That sounds like a whole job by itself
dr|z3d
we already have a way to identify the scanners.
eyedeekay
Which scanners are we talking about?
RN
LOL @ obscuratus
dr|z3d
this was something I discussed previously with zzz, just never got around to writing it up past an initial post on his forum.
dr|z3d
http exploit scanners. all over the network.
RN
I have a list of some keywords that I find in my eepsite request logs that indicate vuln-scanning imho
RN
that's what I did with the filter mechanism as it is
RN
since the beginning of last month, I have accumulated 40 dests. of course those change but I haven't decided on how long to keep them yet.
RN
also, the way I'm set up is a periodic check of the log, not reactive to requests when they come in
RN
not ideal, but functional. especially if I tune the retention time and frequency of checking
dr|z3d
yeah, ideally we'd intercept the request and ban the dest before it even has chance to solicit a response.
RN
blackhole it, not 404
RN
imho
dr|z3d
it's not a casual thing, either, eyedeekay, these scanners are running 3 at a time.
dr|z3d
no, you don't want to 404 it. you want to instantly ban the dest.
RN
grep -E 'wp-|.htaccess|.svn|account|adm|admin.php|config.php|controlpanel|cpanel|FCKeditor
RN
'
RN
also recently seen /products
RN
the wp-* is looking for wordpress stuff... hence I named it wordpress_scanners but that's just a name, there are several vulerabilities they look for
dr|z3d
it's also looking for mysql backups and various other things last time I took note.
RN
yup
RN
I don't recall it has been a while since I looked at it, do they go in order? like the wp- ones first?
dr|z3d
probably, though it's been a while since I've given the scans my full attention. it appears to be a vuln scanner that has a list of pre-defined urls to check.
RN
yeah. That's why I worked with a former dev to fix the filtering mechanism we have.
eyedeekay
Would be really great if we could id which one/s
RN
at one point, I considers serving up each of those requests a screenshot of the corresponding software's login page
RN
moment of false success til they try to click in the text box
RN
hehe
RN
went down a youtube rabit hole the other day watching donair hack the scammers
dr|z3d
eyedeekay: which ones? urls you mean or?
eyedeekay
Urls yes
eyedeekay
Pull from whatever skid tools default list to start with
dr|z3d
If we run with this, I'm sure we can put together a reasonable default list.
eyedeekay
Suppose it would have to be more complicated than that though
eyedeekay
Identifying the tool would be a plus though
RN
"GET /wp-uploads/ HTTP/1.1" 404 0
dr|z3d
yeah, sure, we can investigate. though for a starting list, webserver logs will over time spill all the urls.
dr|z3d
"GET /products/cat HTTP/1.1"
dr|z3d
"GET /products HTTP/1.1"
dr|z3d
"GET /wp-users/ HTTP/1.1"
RN
GET /products/cat HTTP/1.1" 404 0
RN
yeah, etc
RN
grep -E '
RN
wp-|.htaccess|account|admin.php|config.php|controlpanel|cpanel|FCKeditor'
RN
previous version had some false positives
RN
sorry for any glitches that may have caused anyone
Opicaak
geti2p.net's FAQ page lists identiguy.i2p.xyz as a website to check if an eepsite is up/down. This url doesn't exist (anymore?). Might be a good idea to get rid of it, or replace it with something else.
dr|z3d
identiguy is a poor recommendation, even if it did work. It still fails to display ECIES only websites.
dr|z3d
Elsewise, for inproxy access, xyz is defunct. i2phides.me should replace .xyz hostnames.
obscuratus
identiguy.i2p is working fine for me. Is the xyz extension an entry portal from clearnet to i2p?
dr|z3d
defunct inproxy. you should not that as stated above, there are no ECIES only hosts listed on identiguy.
dr|z3d
*note
dr|z3d
eg. skank.i2p
obscuratus
So then, just say notbob.i2p is a better choice instead of falsely implying identiguy is dead.
dr|z3d
I wasn't implying it was dead, I was stating that .xyz is dead.
dr|z3d
If that was less than crystal clear in my response, my bad.
dr|z3d
And aside from the failure to list ECIES only hostnames, the query and submit features are also broken.