New to the list, I run a Tor exit node from my small cable modem connection in Honolulu, as well as for a short time on a few on VPS's to prove to
Over the last several weeks, I have collected substantial evidence indicating that a botnet is degrading the Tor anonymity network in its entirety via a sustained denial of service attack. I believe it is made to blend in with all the other crazy packets that an exit node generates, but it is pretty easy to spot if you just look at the RST's or drops coming off your node, all from a static unused destination port. If you change the IP address of your node, it will take about 90 minutes before they identify your IP and you start getting attacked again. Do a whois lookup on a few of those VPS IP addresses and you will see the country involved.
Wondering what other folks are seeing with their relays.
UTC DATE UTC TIME IP SRC-ISP SPT DST DST-ISP DPT Flags 2013-03-28 7:33:38 173.208.95.126 Nobis Technology Group, LLC 2571 66.8.214.196 Road Runner 8118 [S]
I believe 8118 is polipo/privoxy gateway and that you are simple seeing usual internet 'bot' scans for that proxy and box is returning normal closed reset to syns.
You may collate this flow data by ip and report the unwanted traffic to the arin netblock and ptr domain contacts. Or ignore it as waste of time if packet rate is acceptable loss to internet noise.