Thus spake Bianco Veigel (devel@zivillian.de):
Today I got the second abuse mail within two weeks from my hosting provider. They forced me to take down the exit node, otherwise they will shutdown my server.
How could I detect such a scan and take counter measures to prevent a network scan through tor? I've thougt about Snort, but I've never used it before. The exit node is running in a Xen-vm, behind a pfSense firewall.
Unfortunately, you've hit a rather pedantic ISP (most VPS providers are), and you're probably best off just not running an exit from there. https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/GoodBadISPs
Snort might be able detect this attack and even block access to this IP range on the fly, but putting any kind of filtering systems on exit nodes is not something we really want to get into, for a few reasons. The main one being that it never really works exactly as expected.
The Tor Exit Scanner already detects plenty of antivirus filters that end up censoring urls on the web because they happen to contain content that matches the AV javascript malware signatures in legitimate computer security documents.. We've marked several of these AV filterig nodes as BadExit already.
I'm guessing most/all IDS+IPSs will have similar issues with random censorship, too.
I think the best recommendation is to run as non-exit, or find a new ISP.