Dear experts,
my relay https://metrics.torproject.org/rs.html#details/0FBABB8C7B22CEDDFC849331E8E9… is shown as "down since more than three days" in Metrics.
The logs on the server however seem to show normal activity:
Nov 10 06:45:35 odin Tor[87753]: Heartbeat: It seems like we are not in the cached consensus.
Nov 10 06:45:35 odin Tor[87753]: Heartbeat: Tor's uptime is 12:00 hours, with 59518 circuits open. I've sent 69.19 GB and received 71.95 GB. I've received 24885 connections on IPv4 and 524 on IPv6. I've made 326621 connections with IPv4
and 106790 with IPv6.
Nov 10 06:45:35 odin Tor[87753]: While not bootstrapping, fetched this many bytes: 10227682 (server descriptor fetch); 6336 (server descriptor upload); 595320 (consensus network-status fetch); 307663 (microdescriptor fetch)
Nov 10 06:45:35 odin Tor[87753]: Average packaged cell fullness: 12.651%. TLS write overhead: 2%
Nov 10 06:45:35 odin Tor[87753]: Circuit handshake stats since last time: 0/0 TAP, 36156/36641 NTor.
Nov 10 06:45:35 odin Tor[87753]: Since startup we initiated 0 and received 0 v1 connections; initiated 0 and received 0 v2 connections; initiated 0 and received 0 v3 connections; initiated 0 and received 0 v4 connections; initiated 61280 and received 25404 v5 connections.
What caught my attention is the "seems like we are not in the cached consensus" log statement and also the Platform "Tor 0.4.8.13 on FreeBSD (version is 0.4.8.12 in consensus)" on Metrics
While being shown as "down" in Metrics, the stats continue to be updated and config changes like 'MaxAdvertisedBandwidth' are properly reflected in Metrics
Is there some issue with Metrics in conjunction with FreeBSD ?
On the OS, the only changes were automated OS updates.
Thanks for your feedback
Regards, C.
--
Sent with https://mailfence.com
Secure and private email
Hello all,
those watchdogcyberdefense "specialists" have meanwhile publicly admitted their mistake (of course, hidden in a political wording to create a different impression):
https://watchdogcyberdefense.com/2024/11/is-this-attackers-ip-spoofed/
Quote: "This experience got us thinking about the need for a swift way to identify spoofed IPs involved in attacks that create substantial backscatter traffic"
On November 8, 2024 at 4:44 PM, <tor-operator(a)urdn.com.ua> wrote:
gus :
> I'm writing to share that the origin of the spoofed packets has been
> identified and successfully shut down today, thanks to the assistance
> from Andrew Morris at GreyNoise and anonymous contributors.
Are you sure that it has been effectively shut down? We're still
receiving spoofed packets with IP addresses of Tor relays set as source
after this message has been posted. We've also received more "reports"
from the same newbies after this message was posted.
Our traps even see packets with the IP addresses of Tor relays that are
in the same subnet.
So far we've been able to trace this to a certain peer, we'll be
monitoring.
_______________________________________________
tor-relays mailing list -- tor-relays(a)lists.torproject.org
To unsubscribe send an email to tor-relays-leave(a)lists.torproject.org
--
Sent with https://mailfence.com
Secure and private email
Hello everyone.
I have received a communication from my ISP regarding the IP where I have a Middle Relay and a Bridge, informing me that this IP is being used for a DDoS attack.
I have checked the servers and everything is correct; there are no strange processes running. I have run various tools and everything seems to be in order.
Therefore, has anyone encountered a similar case? Or even better, could someone be using Tor to carry out DDoS attacks?
I am a bit puzzled by this situation.
Thanks for your time
King regards
JAC
--
Sent with https://mailfence.com
Secure and private email
Meanwhile 3* OVH abuse report (twice the same, once for 2nd IP), Virtarix, ServaRICA - all from the same watchdogcyberdefence folks. I have replied to all above ISPs, no suspensions so far.
Just received a suspension note without ANY explanation from AvenaCloud - opened a support ticket with them...
On November 5, 2024 at 5:51 PM, mick <mbm(a)rlogin.net> wrote:
On Tue, 5 Nov 2024 10:32:40 +0200
"Dimitris T. via tor-relays"
allegedly wrote:
> another abuse report from hetzner (by the same watchdogcyberdefence)
> a few hours ago. no reply from hetzner yet to previous ticket.
>
> this time, alleged attacked /20Â subnet from watchdogcyberdefence was
> firewalled since 30/10/2024, just to confirm new false abuse
> reports..., and they confirmed (=their report, shows traffic from our
> ip on 3/11/2024)....
And I have received a new "abuse" report from Hetzner raised by the
same bozos at watchdogcyberdefence, but this time purportedly aimed at
FTP port 21.
I've told Hetzner they are welcome to monitor traffic coming out of my
node to reassure themselves that this is nonsense.
Mick
---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876BÂ Â 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------
_______________________________________________
tor-relays mailing list -- tor-relays(a)lists.torproject.org
To unsubscribe send an email to tor-relays-leave(a)lists.torproject.org
--
Sent with https://mailfence.com
Secure and private email
Hi folks!
We're hunting down a mystery where two of our big university relays are
having troubles reaching the Tor directory authorities:
https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/86
Can you check to see if your relay is in a similar situation?
In particular, the situation to look for is "Tor process is
still running fine from your perspective, but, relay-search
(https://atlas.torproject.org/) says you are no longer running."
If your relay is in this situation, the next step is to check your Tor
logs, try to rule out other issues like firewall rules on your side,
and then (if you're able) to start exploring traceroutes to the directory
authority IP addresses vs other addresses. If you need more direct help,
we can help you debug or answer other questions on #tor-relays on IRC.
Thanks,
--Roger
Hi there.
I found the title of the above blog post highly ironic.
I run a Tor relay (middle and guard node). You appear to be sending
automated "abuse" reports to other ISPS as a result of what is
obviously (well obvious to anyone who studies the network traffic
properly) spoofed source address connections to SSH port 22 on random
servers around the net.
These "abuse" reports cause the ISP hosting the /real/ address of the
spoofed server to do one of two things. Either they just pass the
report on to the server admin for investigation, or they simply shut
down the srevr in question and lock the account of the operator. In
either case the perfectly innocent Tor server admin is highly
inconvenienced and the bad actor(s) doing the spoofing scans get the Tor
relay addresses blacklisted. This is detrimental to the health of the
Tor network.
Please look carefully at your automated abuse reporting system and add
some intelligence to it - preferably by getting a properly skilled
network administrator to look at the traffic /before/ firing off a
spurious report.
(Oh and BTW, SSH scanning at scale is so much part of the background
noise on the 'net that I am astounded that you should pay much
attention to it at all. I don't.)
Best
Mick
---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------
Just received today two abuse tickets...
On October 31, 2024 at 9:29 AM, Pierre Bourdon <delroth(a)gmail.com> wrote:
On Tue, Oct 29, 2024, 03:33 Pierre Bourdon <delroth(a)gmail.com> wrote:
By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)
Any speculation as to the reason for this?
My own write-up and explanation (and speculation) is available at https://delroth.net/posts/spoofed-mass-scan-abuse/ as a reference. I've had a few people email me saying they had the same scare moment after getting an abuse report and they ended up finding my article, so I'd like to think it's already helped a bit!
I also received an email today from Hetzner's legal team saying that they have read my article (props on them, I didn't send it to them myself!). They are monitoring the situation on their side and emphasized that they do not usually take action on this kind of reports they have recently been forwarding to Tor relay operators. So at least for others hosting relays at Hetzner I don't think it's worth worrying too much. For other hosting providers, your mileage may vary.
_______________________________________________
tor-relays mailing list
tor-relays(a)lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
--
Sent with https://mailfence.com
Secure and private email