Hello, I have been running middle relay on my VPS since it was too much trouble to operate an exit. But ever since I have received two abuse reports regarding same issue. 1) Source: 31.31.78.141 Event type: DNSANOMALY Detail: High amount of TCP DNS traffic, whole transfer: 12 503 B Timestamp: 2014-05-14 20:20:35 NetFlow source: localhost Targets: 178.238.223.67 2) Source: 31.31.78.141 Event type: DNSANOMALY Detail: High amount of TCP DNS traffic, whole transfer: 667 644 B Timestamp: 2014-04-28 19:45:00 NetFlow source: localhost Targets: 178.238.223.67 relay - https://atlas.torproject.org/#details/F12AFDB3FEC184E76944579579F762F1142C7E... ISP is pushing me to do something about it and that is why I am asking you to help me because I am not sure what to do. Thank you and have a nice weekend! dope457
On Sat, 17 May 2014 10:27:39 +0200 dope457 <dope457@riseup.net> wrote:
Hello,
I have been running middle relay on my VPS since it was too much trouble to operate an exit. But ever since I have received two abuse reports regarding same issue.
1) Source: 31.31.78.141 Event type: DNSANOMALY Detail: High amount of TCP DNS traffic, whole transfer: 12 503 B Timestamp: 2014-05-14 20:20:35 NetFlow source: localhost Targets: 178.238.223.67
This relay: http://torstatus.blutmagie.de/router_detail.php?FP=44efaf942314f756fc7ea5029... runs with their ORPort set to 53, which is more commonly used for the TCP variant of DNS. So your ordinary communication with them as a part of Tor relaying is misdetected by your ISP as malicious DNS attack. You options are: 1) Explaining the above (along with some explanation about Tor network in general) to your provider; 2) mailing to the contact E-Mail of the above relay, asking them to change their port (but then there may be more relays doing the same in the future); 3) blocking outgoing communication to TCP port 53 to all IPs which are not your chosen recusive DNS servers (set in /etc/resolv.conf); but this will partially break the Tor network, as part of the circuits which clients try to establish via your node will now fail (if they happen to include such ORPort 53 nodes). -- With respect, Roman
FYI On 05/17/2014 11:40 AM, Roman Mamedov wrote:
You options are:
1) Explaining the above (along with some explanation about Tor network in general) to your provider;
Just for the record: I received the same abuse report on 22. 5. 2014 (I have the same ISP and hosting provider). So I wrote polite reply with an explanation and the provider is ok with it.
2) mailing to the contact E-Mail of the above relay, asking them to change their port (but then there may be more relays doing the same in the future);
3) blocking outgoing communication to TCP port 53 to all IPs which are not your chosen recusive DNS servers (set in /etc/resolv.conf); but this will partially break the Tor network, as part of the circuits which clients try to establish via your node will now fail (if they happen to include such ORPort 53 nodes).
Martin Bukatovic
participants (3)
-
dope457 -
Martin Bukatovič -
Roman Mamedov