Hi relay ops,
A few hours ago I received a forwarded abuse report from Hetzner for
one of my machines running a Tor relay (not exit). Some random ISP was
claiming I was sending SSH connections to them, and at first I
couldn't find any corroborating evidence in my own network logs and I
was ready to dismiss it.
But then I noticed that there is in fact something weird: all 4 of my
machines running Tor relays are seeing *return* TCP traffic (RSTs or
SYN-ACKs) from port 22 from various machines all over the world, at a
very low rate. Kind of like someone spoofing source IPs to send SYNs
everywhere. I can't figure out at all whether that's actually what's
happening and what the intent would be though.
Some tcpdumps showing random RSTs coming back to my machines running
relays (with no traffic being initiated by said machines beforehand):
04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags
[R.], seq 0, ack 171173954, win 0, length 0
04:20:15.135733 IP 124.198.33.196.22 > 172.105.199.155.23506: Flags
[R.], seq 0, ack 1985822135, win 0, length 0
04:21:30.222739 IP 223.29.149.158.22 > 172.105.199.155.27507: Flags
[R.], seq 0, ack 3614869158, win 0, length 0
04:14:25.286063 IP 45.187.212.68.22 > 195.201.9.37.59639: Flags [R.],
seq 0, ack 41396686, win 0, length 0
04:14:25.291455 IP 107.152.7.33.22 > 195.201.9.37.39793: Flags [R.],
seq 0, ack 1391844539, win 0, length 0
04:14:25.322255 IP 107.91.78.158.22 > 195.201.9.37.48900: Flags [R.],
seq 0, ack 1434896088, win 65535, length 0
04:12:39.470366 IP 121.150.242.252.22 > 77.109.152.87.57627: Flags
[R.], seq 0, ack 2452733863, win 0, length 0
04:13:05.549920 IP 46.188.201.102.22 > 77.109.152.87.9999: Flags [R.],
seq 0, ack 3253922544, win 0, length 0
04:14:33.027326 IP 1.1.195.62.22 > 77.109.152.87.52448: Flags [R.],
seq 0, ack 351972505, win 0, length 0
By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)
Any speculation as to the reason for this?
Best,
--
Pierre Bourdon <delroth(a)gmail.com>
Software Engineer @ Zürich, Switzerland
https://delroth.net/
Hello everyone.
I have received a communication from my ISP regarding the IP where I have a Middle Relay and a Bridge, informing me that this IP is being used for a DDoS attack.
I have checked the servers and everything is correct; there are no strange processes running. I have run various tools and everything seems to be in order.
Therefore, has anyone encountered a similar case? Or even better, could someone be using Tor to carry out DDoS attacks?
I am a bit puzzled by this situation.
Thanks for your time
King regards
JAC
--
Sent with https://mailfence.com
Secure and private email
Meanwhile 3* OVH abuse report (twice the same, once for 2nd IP), Virtarix, ServaRICA - all from the same watchdogcyberdefence folks. I have replied to all above ISPs, no suspensions so far.
Just received a suspension note without ANY explanation from AvenaCloud - opened a support ticket with them...
On November 5, 2024 at 5:51 PM, mick <mbm(a)rlogin.net> wrote:
On Tue, 5 Nov 2024 10:32:40 +0200
"Dimitris T. via tor-relays"
allegedly wrote:
> another abuse report from hetzner (by the same watchdogcyberdefence)
> a few hours ago. no reply from hetzner yet to previous ticket.
>
> this time, alleged attacked /20 subnet from watchdogcyberdefence was
> firewalled since 30/10/2024, just to confirm new false abuse
> reports..., and they confirmed (=their report, shows traffic from our
> ip on 3/11/2024)....
And I have received a new "abuse" report from Hetzner raised by the
same bozos at watchdogcyberdefence, but this time purportedly aimed at
FTP port 21.
I've told Hetzner they are welcome to monitor traffic coming out of my
node to reassure themselves that this is nonsense.
Mick
---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------
_______________________________________________
tor-relays mailing list -- tor-relays(a)lists.torproject.org
To unsubscribe send an email to tor-relays-leave(a)lists.torproject.org
--
Sent with https://mailfence.com
Secure and private email
Hi folks!
We're hunting down a mystery where two of our big university relays are
having troubles reaching the Tor directory authorities:
https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/86
Can you check to see if your relay is in a similar situation?
In particular, the situation to look for is "Tor process is
still running fine from your perspective, but, relay-search
(https://atlas.torproject.org/) says you are no longer running."
If your relay is in this situation, the next step is to check your Tor
logs, try to rule out other issues like firewall rules on your side,
and then (if you're able) to start exploring traceroutes to the directory
authority IP addresses vs other addresses. If you need more direct help,
we can help you debug or answer other questions on #tor-relays on IRC.
Thanks,
--Roger
Hi there.
I found the title of the above blog post highly ironic.
I run a Tor relay (middle and guard node). You appear to be sending
automated "abuse" reports to other ISPS as a result of what is
obviously (well obvious to anyone who studies the network traffic
properly) spoofed source address connections to SSH port 22 on random
servers around the net.
These "abuse" reports cause the ISP hosting the /real/ address of the
spoofed server to do one of two things. Either they just pass the
report on to the server admin for investigation, or they simply shut
down the srevr in question and lock the account of the operator. In
either case the perfectly innocent Tor server admin is highly
inconvenienced and the bad actor(s) doing the spoofing scans get the Tor
relay addresses blacklisted. This is detrimental to the health of the
Tor network.
Please look carefully at your automated abuse reporting system and add
some intelligence to it - preferably by getting a properly skilled
network administrator to look at the traffic /before/ firing off a
spurious report.
(Oh and BTW, SSH scanning at scale is so much part of the background
noise on the 'net that I am astounded that you should pay much
attention to it at all. I don't.)
Best
Mick
---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------
Just received today two abuse tickets...
On October 31, 2024 at 9:29 AM, Pierre Bourdon <delroth(a)gmail.com> wrote:
On Tue, Oct 29, 2024, 03:33 Pierre Bourdon <delroth(a)gmail.com> wrote:
By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)
Any speculation as to the reason for this?
My own write-up and explanation (and speculation) is available at https://delroth.net/posts/spoofed-mass-scan-abuse/ as a reference. I've had a few people email me saying they had the same scare moment after getting an abuse report and they ended up finding my article, so I'd like to think it's already helped a bit!
I also received an email today from Hetzner's legal team saying that they have read my article (props on them, I didn't send it to them myself!). They are monitoring the situation on their side and emphasized that they do not usually take action on this kind of reports they have recently been forwarding to Tor relay operators. So at least for others hosting relays at Hetzner I don't think it's worth worrying too much. For other hosting providers, your mileage may vary.
_______________________________________________
tor-relays mailing list
tor-relays(a)lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
Sent with https://mailfence.com
Secure and private email
Hi,
As mentioned in early October, we're in the process of upgrading our
main mail server, which includes upgrading to the shiny new Mailman 3
platform.
We have, right now, a prototype mailman 3 server available at:
https://lists-01.torproject.org/
It's hidden behind the usual "trivial" authentication (ask us on IRC if
you don't remember what it is), but should otherwise work normally.
I'm going to start by migrating the TPA mailing list and we'll be
testing this for a couple of days, but, next week, I'll start migrating
the other mailing lists (including this one!).
If people want to jump in front of that train early and be part of the
beta testers, then by all means I'm happy to have your mailing list be
part of the early adopters.
Be warned that Mailman 3 is a significant upgrade from Mailman 2. There
are some great things (like unified authentication), and some less great
things (like a more complex design and "shinier" web interface that
might not be everyone's taste).
As a reminder, we're doing this upgrade a little rushed because the main
mail server is now unsupported for security upgrades. See the details of
the proposal here:
https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-71-emerge…
... with the milestone tracking actual work issues in:
https://gitlab.torproject.org/groups/tpo/tpa/-/milestones/16
(Sorry for cross-posting this, but this seems like it warrants wider
distribution. As a rule of thumb, I selected mailing lists with public
archives that had posts in October 2024, removing duplicates like
anti-censorship-team and -alerts.
I also suspect many of those mailing lists will refuse my message
because I'm not subscribed, but I will have tried. :))
Phew!
a.
--
Antoine Beaupré
torproject.org system administration
_______________________________________________
tor-project mailing list
tor-project(a)lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
As an update, once I showed the link from OONI to my ISP, they offered
to move my server to another location at no charge. So the Tor server
was moved from India to the UK. (Actually, I built a new one from
scratch.)
So I will mention here this ISP - Contabo.com - for their great
customer service and understanding of what Tor represents. They have
automatically and temporarily blocked my IP address - and informed me
that they did - 2 or 3 times in the past because they felt it was under
a DDoS attack, and I'm OK with that. At one point, communicating with
their support team, one person even wrote this to me:
We are glad to support your efforts in maintaining these relays, as
they play a crucial role in fighting censorship and promoting internet
freedom. Thank you for your ongoing trust and partnership.
I initially chose them because they have few exit relays (only 12 as of
today, 4 of them being mine, but there are about 100 other non-exit
relays). With that kind of service, I'm wondering why they are not more
popular for exit relays.
Denny
On 2024-10-22 15:41, tor-relays(a)queer.cat wrote:
>
>
> On 22/10/24 12:08, denny.obreham(a)a-n-o-n-y-m-e.net wrote:
>> I still haven't found a solution to my problem I stated earlier in
my email with the subject "Exit relay not in consensus" https://
lists.torproject.org/pipermail/tor-relays/2024-October/021899.html
<https://lists.torproject.org/pipermail/tor-relays/2024-October/021899.
html>
>>
>>
>> The most helpful answers were from Sebastian <https://
lists.torproject.org/pipermail/tor-relays/2024-October/021909.html> and
George <https://lists.torproject.org/pipermail/tor-relays/2024-
October/021918.html>. I contacted the ASN but never received a
response. My ISP was useless as they jus t repeated "We don't block
traffic."
>
>
> Iâve gone through the original thread you shared and found an OONI
result that supports the notion that your ASN (141995) is blocking Tor
directory authorities. You can view the result here:
>
>
https://explorer.ooni.org/m/20241001034902.297107_US_tor_d6973b06186ed4
3a
>
>>
>>
>> As of today, the server is still active and running. You can't find
it in the metrics but it is still in the consensus <https://consensus-health.torproject.org/consensus-health.html?
#7BDDE0E7607A5F49578768F44CD721793FA2D7AE>.
>>
>>
>> I did not have much time lately and have no clue what I can do from
this point forward.
>>
>>
>> Denny
>>
>>
>> On 2024-10-22 04:48, Roger Dingledine wrote:
>>
>> Hi folks! We're hunting down a mystery where two of our big
university relays are having troubles reaching the Tor directory
authorities:
https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/86
Can you check to see if your relay is in a similar situation? In
particular, the situation to look for is "Tor process is still running
fine from your perspective, but, relay-search (https://
atlas.torproject.org/) says you are no longer running." If your relay
is in this situation, the next step is to check your Tor logs, try to
rule out other issues like firewall rules on your side, and then (if
you're able) to start exploring traceroutes to the directory authority
IP addresses vs other addresses. If you need more direct help, we can
help you debug or answer other questions on #tor-relays on IRC. Thanks,
-- Roger _______________________________________________ tor-relays
mailing list tor-relays(a)lists.torproject.org
https://lists.torproject.org/cgi- bin/mailman/listinfo/tor-relays
>>
>>
>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays(a)lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>