One of my tor guard relays is a medium size VPS operating in the Czech Republic. It's been up and stable for several years. Several weeks ago I was notified that my VPS was a source of UDP DoS traffic. It was shut down. Logs showed no intrusions. I installed a different instance of linux, changed my SSH port, added fail2ban and even installed clamav. I did not make changes to the tor exit policy. Then, this week I received the following: "Hello, surveillance system detected a disproportionate outgoing DoS traffic on your VPS torexitcz and then our network under a DDoS attack. Your server torexitcz has been stopped. This is another problem with your VPS. Your service will be terminated. Thanks for understanding." Can anyone offer an opinion as to how my relay was used for DoS? How can I avoid this in the future? My goal, as always is to provide stable nodes to the tor network while protecting myself and my VPS supplier. 4061C553CA88021B8302F0814365070AAE617270 185.100.85.101
On 15 November 2016 at 20:41, Arisbe <arisbe@cni.net> wrote:
One of my tor guard relays is a medium size VPS operating in the Czech Republic. It's been up and stable for several years. Several weeks ago I was notified that my VPS was a source of UDP DoS traffic. It was shut down. Logs showed no intrusions.
I installed a different instance of linux, changed my SSH port, added fail2ban and even installed clamav. I did not make changes to the tor exit policy. Then, this week I received the following:
"Hello, surveillance system detected a disproportionate outgoing DoS traffic on your VPS torexitcz and then our network under a DDoS attack. Your server torexitcz has been stopped. This is another problem with your VPS. Your service will be terminated. Thanks for understanding."
Can anyone offer an opinion as to how my relay was used for DoS? How can I avoid this in the future? My goal, as always is to provide stable nodes to the tor network while protecting myself and my VPS supplier.
4061C553CA88021B8302F0814365070AAE617270 185.100.85.101
Your relay allows exit, and based on the name that seems intentional If you don't want it to possibly be used for attacks, you should not run an exit
On 16 Nov. 2016, at 07:57, Pascal Terjan <pterjan@gmail.com> wrote:
On 15 November 2016 at 20:41, Arisbe <arisbe@cni.net> wrote:
One of my tor guard relays is a medium size VPS operating in the Czech Republic. It's been up and stable for several years. Several weeks ago I was notified that my VPS was a source of UDP DoS traffic. It was shut down. Logs showed no intrusions.
I installed a different instance of linux, changed my SSH port, added fail2ban and even installed clamav. I did not make changes to the tor exit policy. Then, this week I received the following:
"Hello, surveillance system detected a disproportionate outgoing DoS traffic on your VPS torexitcz and then our network under a DDoS attack. Your server torexitcz has been stopped. This is another problem with your VPS. Your service will be terminated. Thanks for understanding."
Can anyone offer an opinion as to how my relay was used for DoS? How can I avoid this in the future? My goal, as always is to provide stable nodes to the tor network while protecting myself and my VPS supplier.
4061C553CA88021B8302F0814365070AAE617270 185.100.85.101
Your relay allows exit, and based on the name that seems intentional If you don't want it to possibly be used for attacks, you should not run an exit
Tor Exits only produce one kind of UDP traffic: DNS requests on behalf of clients. If you were using the provider's DNS servers directly, this could look like a DoS attack, particularly if the DNS servers are under-provisioned (or the intrusion detection system too sensitive). Install a caching resolver on your relay, accessible only from localhost, and either edit /etc/resolv.conf, or use the ServerDNSResolvConfFile torrc option. (Editing /etc/resolv.conf can be unreliable, because some processes overwrite it using DHCP data. It's probably best to use a separate file and ServerDNSResolvConfFile.) If your provider is that sensitive about DNS traffic, it might be best to point your resolver at some other public DNS servers. But please don't use Google, they see too much Tor DNS traffic already. T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/15/2016 09:41 PM, Arisbe wrote:
Several weeks ago I was notified that my VPS was a source of UDP DoS traffic.
? Tor is only TCP, not UDP. - -- Toralf PGP: C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE----- iHYEAREIAB4FAlgrfh8XHHRvcmFsZi5mb2Vyc3RlckBnbXguZGUACgkQxOrN3gB2 6U7JIwD/be8zBp+Yjmnhb+26LydnKuVC9vDSc3WZIJnuiKZORkIA/1Xc7QERc9P9 KrcYfmk6lVrHsn3KrfoQzplr0lZUS+gf =Y3IM -----END PGP SIGNATURE-----
On Tue, Nov 15, 2016 at 12:41:09PM -0800, Arisbe wrote:
One of my tor guard relays is a medium size VPS operating in the Czech Republic. It's been up and stable for several years. Several weeks ago I was notified that my VPS was a source of UDP DoS traffic. It was shut down. Logs showed no intrusions.
I installed a different instance of linux, changed my SSH port, added fail2ban and even installed clamav. I did not make changes to the tor exit policy. Then, this week I received the following:
"Hello, surveillance system detected a disproportionate outgoing DoS traffic on your VPS torexitcz and then our network under a DDoS attack. Your server torexitcz has been stopped. This is another problem with your VPS. Your service will be terminated. Thanks for understanding."
Can anyone offer an opinion as to how my relay was used for DoS? How can I avoid this in the future? My goal, as always is to provide stable nodes to the tor network while protecting myself and my VPS supplier.
Are you running ntpd on the vps? your vps may being used for an ntp reflection attack
4061C553CA88021B8302F0814365070AAE617270 185.100.85.101
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333 keybase: https://keybase.io/gfa
participants (5)
-
Arisbe -
Pascal Terjan -
teor -
tor-admin@zumbi.com.ar -
Toralf Förster