On 28/03/13 17:21, grarpamp wrote:
New to the list, I run a Tor exit node from my small cable modem connection in Honolulu, as well as for a short time on a few on VPS's to prove to Over the last several weeks, I have collected substantial evidence indicating that a botnet is degrading the Tor anonymity network in its entirety via a sustained denial of service attack. I believe it is made to blend in with all the other crazy packets that an exit node generates, but it is pretty easy to spot if you just look at the RST's or drops coming off your node, all from a static unused destination port. If you change the IP address of your node, it will take about 90 minutes before they identify your IP and you start getting attacked again. Do a whois lookup on a few of those VPS IP addresses and you will see the country involved. Wondering what other folks are seeing with their relays. UTC DATE UTC TIME IP SRC-ISP SPT DST DST-ISP DPT Flags 2013-03-28 7:33:38 173.208.95.126 Nobis Technology Group, LLC 2571 66.8.214.196 Road Runner 8118 [S]
I believe 8118 is polipo/privoxy gateway and that you are simple seeing usual internet 'bot' scans for that proxy and box is returning normal closed reset to syns.
You may collate this flow data by ip and report the unwanted traffic to the arin netblock and ptr domain contacts. Or ignore it as waste of time if packet rate is acceptable loss to internet noise. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
There is definitely a large number of hits on the privoxy port that does seem to correlate with being in a published directory. That said lots of tor users also use privoxy so it makes sense that those looking for open proxies may well be prioritizing tor relay IP addresses for scanning attempting to find poorly configured privoxy instances that can be used for arbitrary connections. Scanning of tor nodes also seems to be higher than background in general especially at higher bandwidth levels but this is frequently the case for any kind of server or other node that stands out as clearly controlling larger amounts of bandwidth because they are naturally more valuable targets for a variety of criminal activities (DDoS, Spamming etc).
That said while the ports vary I believe that a large amount of the high port activity is in fact probably related to such as bittorrent, namely users attempting to use BT over tor, client detecting the exit's IP as it's public IP and reporting that to the tracker resulting in large numbers of machines attempting to make TCP connections with the system, usually significant UDP traffic also.
In general I'd say that getting a large amount of hits on your firewall is pretty much expected as a result of this. For a DDoS by far a more effective tactic would be to hit an open port and all relays are advertising at least one of these so I do not believe this is a DDoS there are much more effective methods to perform a DDoS attack on the network including several that are not merely more effective due to amplification but also would be a lot more subtle because they would blend into the normal traffic better using standard protocols and features available on the network, need I mention DNS for example.