On Fri, Aug 01, 2014 at 01:42:32PM -0400, tor@t-3.net wrote:
IPTables rule involved:
-A INPUT -p tcp -m string --hex-string "|00002800390038008800870035008400160013000a00330032009a009900450044002f00960041000500ff020100000400230000|" --algo kmp -j LOG --log-prefix "IPTables-GFC-new " -A INPUT -p tcp -m string --hex-string "|00002800390038008800870035008400160013000a00330032009a009900450044002f00960041000500ff020100000400230000|" --algo kmp -j DROP
You probably found these iptables rules in a blog post [0]. Note that this is not "attack" traffic. Most likely, these are automated probes from China whose purpose is to verify that your Tor relay is, in fact, a Tor relay and it's safe to block it.
[0] https://idea.popcount.org/2013-07-11-fun-with-the-great-firewall/
Cheers, Philipp