Roger Dingledine arma@torproject.org:
Hi! Can you send me (off-list) the details of what you are seeing?
Done.
The last observation was made Nov. 9 at 11:49 UTC, that is after it was announced the attacker was shut down.
We no longer see the packets, but we continue to receive reports from the same mentioned amateurs, the last one is dated 12 Nov 2024 07:57:06 +0800. All mentioned addresses are those of Tor relays, and the destination port is still ssh.
Excerpt from the report:
5 11-Nov-2024 12:32:52 DENIED 193.218.118.89 54796 TCP 202.91.160.87 22
This could be simple brute force attacks, but since the reporter blocks the connections, that seems unlikely. Perhaps the attacker tuned the attack to a list of networks that are known for triggering reports.
(3) You are misreading your packets and actually it is more benign than you think or otherwise we can find an expected explanation for what you are seeing.
No misreading; the attack is benign anyway, the problem is really with the fools that take these reports seriously.