On 2024-11-08 08:47, tor-relays+tor-relays@queer.cat wrote:
This rule will also count SYN-ACKs sent from your own server to bots trying to connect to your SSH on port 22.
The rule is on the source port = 22, not the destination port = 22. Incoming bot connections will not have a sport = 22.
It is also in a chain hooked only to input packets and will not trigger on outgoing packets.
~# nft list table ip accounting table ip accounting { chain input { type filter hook input priority filter; policy accept; ... tcp sport 22 tcp flags == 0x12 counter packets 210 bytes 12360 }
My ssh service is anyway behind knockd, so my machine will never send out SYN-ACKS. The knockd ssh rule ssh is reject so it will only send out RSTs.
Also, these have to be coming from more than one source. The byte count is not an even multiple of the number of packets, meaning that there are almost assuredly different sources with different stack configurations.
I assess the rule is correctly configured to detect only incoming syn-acks and that I am seeing SYN-AKCs from multiple machines that were targetted with SYNs spoofing of my IP.
I am seeing this behavior on a friend's VPS with newly created relay. None of my more public-facing VPSs that are not involved in Tor are seeing these.
I would encourage everyone to add the above table and rule so we can assess how much SYN spoofing is still going on. So far spoofing seems now reduced in intensity but still occuring. But my data points are few so more data points and from more established servers than mine would be valuable.
Oaive