I've been an end user of tor for a few years and finally as of last week purchased a virtualhost to run an exit relay. After a few days running smoothly, I received a forwarded abuse complaint from the hosting company from someone saying their are being DDOS'd by my IP. I'm prepared per the tor website regarding DMCA notifications, but haven't found much on how to deal with this situation. I have: * made it quite obvious that this is an exit node * reverse dns is tor-exit-node.nenticom.net * web server running on 8080/80 with the tor notification page * provide full real name and abuse@nenticom.net contact * notified the hosting company * applied the recommended exit policy per the "minimum harassment" post You can see most of this off Atlas (node: nenticom). https://atlas.torproject.org/#details/50D04704A5017C02CC63AFE4A66F05DF79ED81... Can anyone provide a recommendation of how to respond to this notice (provided below)? Given the headers the original complainer filed it looks like someone is running benchmark software over tor. Maybe after explaining that I'm a tor exit node to the provider I can offer to block exiting to the IP block belonging to the original complainer? Notice from Hosting Provider ---------------------------- Please review the following abuse complaint and provide us with a resolution: ****************************** Hello, Over the last three days we have experienced a massive amounts of incoming HTTP connections from an IP address under your control as part of a DDOS attack. Can you please investigate the server/computer associated with this IP address as it is more than likely compromised and is now part of a BotNet. For your reference, all requests to our server from the IP in question are listed in the Apache logs as: "GET / HTTP/1.0" 500 11680 "-" "ApacheBench/2.3" The attackers IP address that appears to belong to you or your network is '192.241.230.170'. Please resolve this as soon as possible. -- Kind regards, Benjamin Hodgetts Dedicated Hosting Server Administrator Namesco Ltd. Phone: +44 (0)1905 342347 Email: bhodgetts@names.co.uk DDI: +44 (0)1905 342384 Main Line: +44 (0)1905 342342 / 0845 363 3630 Main Fax: +44 (0)1905 342343 / 0845 363 3631 Support Email: supportmanager@names.co.uk Website: http://www.names.co.uk Namesco Limited (Registration No: 3913408) is incorporated in England and Wales with its registered office at Acton House, Perdiswell Park, Worcester, WR3 7GD. Information contained in this e-mail is intended for the use of the addressee only, and is confidential. If you have received this email in error please notify the sender immediately. Any dissemination, distribution, copying or use of this communication without prior permission of the addressee is strictly prohibited. The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. While Namesco has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage, which you sustain as a result of software viruses. You should carry out your own virus checks before opening the attachment. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. ©2013 Namesco Limited. All rights reserved. ******************************
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hah - I am not laughing at whats happened to you, but I am laughing at the MO of the notice. See the "Dealing with VPS suspension" thread posted a few minutes ago. I received the exact same notice, but at least your hoster didn't close yours without asking first. On 7 Aug 2013, at 21:00, Kris wrote:
I've been an end user of tor for a few years and finally as of last week purchased a virtualhost to run an exit relay.
After a few days running smoothly, I received a forwarded abuse complaint from the hosting company from someone saying their are being DDOS'd by my IP.
I'm prepared per the tor website regarding DMCA notifications, but haven't found much on how to deal with this situation. I have:
* made it quite obvious that this is an exit node * reverse dns is tor-exit-node.nenticom.net * web server running on 8080/80 with the tor notification page * provide full real name and abuse@nenticom.net contact * notified the hosting company * applied the recommended exit policy per the "minimum harassment" post
You can see most of this off Atlas (node: nenticom). https://atlas.torproject.org/#details/50D04704A5017C02CC63AFE4A66F05DF79ED81...
Can anyone provide a recommendation of how to respond to this notice (provided below)? Given the headers the original complainer filed it looks like someone is running benchmark software over tor. Maybe after explaining that I'm a tor exit node to the provider I can offer to block exiting to the IP block belonging to the original complainer?
Notice from Hosting Provider ----------------------------
Please review the following abuse complaint and provide us with a resolution:
****************************** Hello,
Over the last three days we have experienced a massive amounts of incoming HTTP connections from an IP address under your control as part of a DDOS attack.
Can you please investigate the server/computer associated with this IP address as it is more than likely compromised and is now part of a BotNet.
For your reference, all requests to our server from the IP in question are listed in the Apache logs as: "GET / HTTP/1.0" 500 11680 "-" "ApacheBench/2.3"
The attackers IP address that appears to belong to you or your network is '192.241.230.170'. Please resolve this as soon as possible.
-- Kind regards, Benjamin Hodgetts Dedicated Hosting Server Administrator Namesco Ltd.
Phone: +44 (0)1905 342347 Email: bhodgetts@names.co.uk DDI: +44 (0)1905 342384
Main Line: +44 (0)1905 342342 / 0845 363 3630 Main Fax: +44 (0)1905 342343 / 0845 363 3631 Support Email: supportmanager@names.co.uk Website: http://www.names.co.uk
Namesco Limited (Registration No: 3913408) is incorporated in England and Wales with its registered office at Acton House, Perdiswell Park, Worcester, WR3 7GD.
Information contained in this e-mail is intended for the use of the addressee only, and is confidential. If you have received this email in error please notify the sender immediately. Any dissemination, distribution, copying or use of this communication without prior permission of the addressee is strictly prohibited. The contents of an attachment to this e-mail may contain software viruses, which could damage your own computer system. While Namesco has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage, which you sustain as a result of software viruses. You should carry out your own virus checks before opening the attachment. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
©2013 Namesco Limited. All rights reserved. ******************************
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
- -------------------------------------- Bernard / bluboxthief / ei8fdb IO91XM / www.ei8fdb.org -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJSAqnkAAoJENsz1IO7MIrrPZUIAKDWZcCWe+92q4sgWLNCHwS5 YhIjFBFd/RJzLoAKfnJEHYJTrpfSNlBDdgARd3VQYLXINbT7pEegpOZ1D+R8DLYY 9+RXvE1D5YqyzlFiK2nMZ5FUxMcZEKUrTPFn89Ubf3gMv8JcCBpg0TM2OPsBBJjC 35LZp2xNxXnWXJRn1gnHF5RHu3V5Uqj3xwaSXVy4X2jQfM6D5IK26jHDHTYaxZH2 e8szOg2oQDqfAHbv6doc+X32Zab7XTBUvFR+a6/igqfxOoJbtifF8prpd/6sLqH/ +GWmOTI0Vjjs1c7DUrkCRPhLobM8W94hI4nIlcA8jLVDrSOdjhQb1FB5yhw6NPs= =qtN4 -----END PGP SIGNATURE-----
This Benjamin Hodgetts is really on a tear. I got the same complaint from 2 different ISPs today. On 08/07/2013 04:00 PM, Kris wrote:
I've been an end user of tor for a few years and finally as of last week purchased a virtualhost to run an exit relay.
After a few days running smoothly, I received a forwarded abuse complaint from the hosting company from someone saying their are being DDOS'd by my IP.
I'm prepared per the tor website regarding DMCA notifications, but haven't found much on how to deal with this situation. I have:
* made it quite obvious that this is an exit node * reverse dns is tor-exit-node.nenticom.net * web server running on 8080/80 with the tor notification page * provide full real name and abuse@nenticom.net contact * notified the hosting company * applied the recommended exit policy per the "minimum harassment" post
You can see most of this off Atlas (node: nenticom). https://atlas.torproject.org/#details/50D04704A5017C02CC63AFE4A66F05DF79ED81...
Can anyone provide a recommendation of how to respond to this notice (provided below)? Given the headers the original complainer filed it looks like someone is running benchmark software over tor.
Maybe after explaining that I'm a tor exit node to the provider I can offer to block exiting to the IP block belonging to the original complainer?
Notice from Hosting Provider ----------------------------
Please review the following abuse complaint and provide us with a resolution:
****************************** Hello,
Over the last three days we have experienced a massive amounts of incoming HTTP connections from an IP address under your control as part of a DDOS attack.
Can you please investigate the server/computer associated with this IP address as it is more than likely compromised and is now part of a BotNet.
For your reference, all requests to our server from the IP in question are listed in the Apache logs as: "GET / HTTP/1.0" 500 11680 "-" "ApacheBench/2.3"
The attackers IP address that appears to belong to you or your network is '192.241.230.170'. Please resolve this as soon as possible.
Steve Snyder <swsnyder@snydernet.net> writes:
This Benjamin Hodgetts is really on a tear. I got the same complaint from 2 different ISPs today.
Ditto. He told me it's an automated script... and that he's (recently) blocked traffic from Tor network. He sent the notices as an "FYI" and gave me some crap about how I am responsible for everyone who uses Tor. Fun day for a lot of us, it seems. -- Shawn Nock (OpenPGP: 0x6FDA11EE 3BC412E3)
So these reports of DDoS HTTP attacks are actually a single DoS attack (using pseudo-legal threats) on the Tor network itself? Is there any way to neutralize this fellow with suitable countermeasures, such as lawsuits or harassment charges? On 13-08-07 07:53 PM, Shawn Nock wrote:
Steve Snyder <swsnyder@snydernet.net> writes:
This Benjamin Hodgetts is really on a tear. I got the same complaint from 2 different ISPs today.
Ditto. He told me it's an automated script... and that he's (recently) blocked traffic from Tor network.
He sent the notices as an "FYI" and gave me some crap about how I am responsible for everyone who uses Tor.
Fun day for a lot of us, it seems.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 13-08-07 07:53 PM, Shawn Nock wrote:
Steve Snyder <swsnyder@snydernet.net> writes:
This Benjamin Hodgetts is really on a tear. I got the same complaint from 2 different ISPs today.
Ditto. He told me it's an automated script... and that he's (recently) blocked traffic from Tor network.
He sent the notices as an "FYI" and gave me some crap about how I am responsible for everyone who uses Tor.
Fun day for a lot of us, it seems.
So these reports of DDoS HTTP attacks are actually a single DoS attack (using pseudo-legal threats) on the Tor network itself? Is there any way to neutralize this fellow with suitable countermeasures, such as lawsuits or harassment charges?
participants (5)
-
Bernard Tyers - ei8fdb -
Kris -
krishna e bera -
Shawn Nock -
Steve Snyder