Network Scan through Tor Exit Node (Port 80) - tor-relays

25 Feb 2011


      Today I got the second abuse mail within two weeks from my hosting
provider. They forced me to take down the exit node, otherwise they will
shutdown my server.
How could I detect such a scan and take counter measures to prevent a
network scan through tor? I've thougt about Snort, but I've never used
it before. The exit node is running in a Xen-vm, behind a pfSense firewall.
I've attached the report from the abuse mail. Does anyone have an idea,
what steps should/could be taken?
Thanks in advance,
Bianco Veigel
----- attachment -----
##########################################################################
#               Netscan detected from host    188.40.98.54               #
##########################################################################
time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Fri Feb 25 06:53:15 2011 TCP    188.40.98.54 45237 =>  138.160.29.194 20019
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 27681 =>   94.207.140.89 80
  Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 6869  =>   94.207.140.93
80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 33258 =>
94.207.140.94 80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 53464 =>
  94.207.140.95 80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 31041
=>   94.207.140.96 80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54
6299  =>   94.207.140.97 80   Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 40964 =>   94.207.140.98 80   Fri Feb 25 07:15:00 2011 TCP
   188.40.98.54 8703  =>   94.207.140.99 80   Fri Feb 25 07:14:59 2011
TCP    188.40.98.54 56759 =>  94.207.140.187 80   Fri Feb 25 07:14:56
2011 TCP    188.40.98.54 26247 =>  94.207.140.227 80   Fri Feb 25
07:14:59 2011 TCP    188.40.98.54 26247 =>  94.207.140.227 80   Fri Feb
25 07:14:56 2011 TCP    188.40.98.54 27847 =>  94.207.140.228 80   Fri
Feb 25 07:14:59 2011 TCP    188.40.98.54 27847 =>  94.207.140.228 80
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 1219  =>  94.207.140.229 80
  Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 1219  =>  94.207.140.229
80   Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 38929 =>
94.207.140.230 80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 38929
=>  94.207.140.230 80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54
62958 =>  94.207.140.235 80   Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 46469 =>  94.207.140.236 80   Fri Feb 25 07:15:00 2011 TCP
   188.40.98.54 2704  =>  94.207.140.237 80   Fri Feb 25 07:14:56 2011
TCP    188.40.98.54 17272 =>   94.207.141.12 80   Fri Feb 25 07:14:59
2011 TCP    188.40.98.54 17272 =>   94.207.141.12 80   Fri Feb 25
07:14:56 2011 TCP    188.40.98.54 32482 =>   94.207.141.13 80   Fri Feb
25 07:14:59 2011 TCP    188.40.98.54 32482 =>   94.207.141.13 80   Fri
Feb 25 07:14:56 2011 TCP    188.40.98.54 55860 =>   94.207.141.14 80
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 55860 =>   94.207.141.14 80
  Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 43390 =>   94.207.141.15
80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 43390 =>
94.207.141.15 80   Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 31712 =>
  94.207.141.16 80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 31712
=>   94.207.141.16 80   Fri Feb 25 07:14:56 2011 TCP    188.40.98.54
29316 =>   94.207.141.17 80   Fri Feb 25 07:14:59 2011 TCP
188.40.98.54 29316 =>   94.207.141.17 80   Fri Feb 25 07:14:56 2011 TCP
   188.40.98.54 5286  =>   94.207.141.18 80   Fri Feb 25 07:14:59 2011
TCP    188.40.98.54 5286  =>   94.207.141.18 80   Fri Feb 25 07:14:56
2011 TCP    188.40.98.54 45139 =>   94.207.141.19 80   Fri Feb 25
07:14:59 2011 TCP    188.40.98.54 45139 =>   94.207.141.19 80   Fri Feb
25 07:14:56 2011 TCP    188.40.98.54 25311 =>   94.207.141.20 80   Fri
Feb 25 07:14:59 2011 TCP    188.40.98.54 25311 =>   94.207.141.20 80
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 3675  =>   94.207.141.21 80
  Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 3675  =>   94.207.141.21
80   Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 51753 =>
94.207.141.22 80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 51753 =>
  94.207.141.22 80   Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 8993
=>   94.207.141.23 80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54
8993  =>   94.207.141.23 80   Fri Feb 25 07:14:58 2011 TCP
188.40.98.54 48305 =>   94.207.141.24 80   Fri Feb 25 07:15:00 2011 TCP
   188.40.98.54 25717 =>   94.207.141.25 80   Fri Feb 25 07:15:00 2011
TCP    188.40.98.54 15142 =>   94.207.141.26 80   Fri Feb 25 07:15:00
2011 TCP    188.40.98.54 24618 =>   94.207.141.27 80   Fri Feb 25
07:15:00 2011 TCP    188.40.98.54 43060 =>   94.207.141.28 80   Fri Feb
25 07:14:59 2011 TCP    188.40.98.54 45003 =>   94.207.141.45 80   Fri
Feb 25 07:14:59 2011 TCP    188.40.98.54 18691 =>   94.207.141.48 80
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 48452 =>   94.207.141.60 80
  Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 48452 =>   94.207.141.60
80   Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 37237 =>
94.207.141.61 80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 37237 =>
  94.207.141.61 80   Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 39153
=>   94.207.141.62 80   Fri Feb 25 07:14:57 2011 TCP    188.40.98.54
10678 =>   94.207.141.63 80   Fri Feb 25 07:14:57 2011 TCP
188.40.98.54 23127 =>   94.207.141.64 80   Fri Feb 25 07:14:57 2011 TCP
   188.40.98.54 10755 =>   94.207.141.65 80   Fri Feb 25 07:14:57 2011
TCP    188.40.98.54 13206 =>   94.207.141.66 80   Fri Feb 25 07:14:57
2011 TCP    188.40.98.54 32657 =>   94.207.141.67 80   Fri Feb 25
07:14:57 2011 TCP    188.40.98.54 1909  =>   94.207.141.68 80   Fri Feb
25 07:14:57 2011 TCP    188.40.98.54 3475  =>   94.207.141.69 80   Fri
Feb 25 07:15:00 2011 TCP    188.40.98.54 3475  =>   94.207.141.69 80
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 1810  =>   94.207.141.70 80
  Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 1810  =>   94.207.141.70
80   Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 52358 =>
94.207.141.71 80   Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 3828  =>
  94.207.141.72 80   Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 46151
=>   94.207.141.73 80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54
17930 =>   94.207.141.74 80   Fri Feb 25 07:14:55 2011 TCP
188.40.98.54 4025  =>  94.207.141.103 80   Fri Feb 25 07:14:58 2011 TCP
   188.40.98.54 4025  =>  94.207.141.103 80   Fri Feb 25 07:14:55 2011
TCP    188.40.98.54 48216 =>  94.207.141.104 80   Fri Feb 25 07:14:58
2011 TCP    188.40.98.54 48216 =>  94.207.141.104 80   Fri Feb 25
07:14:55 2011 TCP    188.40.98.54 61033 =>  94.207.141.105 80   Fri Feb
25 07:14:58 2011 TCP    188.40.98.54 61033 =>  94.207.141.105 80   Fri
Feb 25 07:14:55 2011 TCP    188.40.98.54 35460 =>  94.207.141.106 80
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 35460 =>  94.207.141.106 80
  Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 34686 =>  94.207.141.107
80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 34686 =>
94.207.141.107 80   Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 8517
=>  94.207.141.108 80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54
8517  =>  94.207.141.108 80   Fri Feb 25 07:14:57 2011 TCP
188.40.98.54 34989 =>  94.207.141.109 80   Fri Feb 25 07:14:57 2011 TCP
   188.40.98.54 16795 =>  94.207.141.110 80   Fri Feb 25 07:14:58 2011
TCP    188.40.98.54 54679 =>  94.207.141.111 80   Fri Feb 25 07:14:58
2011 TCP    188.40.98.54 36103 =>  94.207.141.112 80   Fri Feb 25
07:14:58 2011 TCP    188.40.98.54 59119 =>  94.207.141.113 80   Fri Feb
25 07:14:58 2011 TCP    188.40.98.54 29831 =>  94.207.141.114 80   Fri
Feb 25 07:14:58 2011 TCP    188.40.98.54 24490 =>  94.207.141.115 80
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 8880  =>  94.207.141.116 80
  Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 43624 =>  94.207.141.117
80   Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 31266 =>
94.207.141.118 80   Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 33438
=>  94.207.141.119 80   Fri Feb 25 07:14:58 2011 TCP    188.40.98.54
43359 =>  94.207.141.120 80   Fri Feb 25 07:14:59 2011 TCP
188.40.98.54 8168  =>  94.207.141.121 80   Fri Feb 25 07:14:59 2011 TCP
   188.40.98.54 36716 =>  94.207.141.122 80   Fri Feb 25 07:14:59 2011
TCP    188.40.98.54 5648  =>  94.207.141.123 80   Fri Feb 25 07:15:00
2011 TCP    188.40.98.54 57277 =>  94.207.141.124 80   Fri Feb 25
07:14:55 2011 TCP    188.40.98.54 20586 =>  94.207.141.134 80   Fri Feb
25 07:14:58 2011 TCP    188.40.98.54 20586 =>  94.207.141.134 80   Fri
Feb 25 07:14:55 2011 TCP    188.40.98.54 29953 =>  94.207.141.135 80
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 29953 =>  94.207.141.135 80
  Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 10770 =>  94.207.141.136
80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 10770 =>
94.207.141.136 80   Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 4466
=>  94.207.141.137 80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54
4466  =>  94.207.141.137 80   Fri Feb 25 07:14:56 2011 TCP
188.40.98.54 27801 =>  94.207.141.138 80   Fri Feb 25 07:14:59 2011 TCP
   188.40.98.54 27801 =>  94.207.141.138 80   Fri Feb 25 07:14:56 2011
TCP    188.40.98.54 14288 =>  94.207.141.139 80   Fri Feb 25 07:14:59
2011 TCP    188.40.98.54 14288 =>  94.207.141.139 80   Fri Feb 25
07:14:56 2011 TCP    188.40.98.54 11846 =>  94.207.141.140 80   Fri Feb
25 07:14:59 2011 TCP    188.40.98.54 11846 =>  94.207.141.140 80   Fri
Feb 25 07:14:56 2011 TCP    188.40.98.54 42636 =>  94.207.141.141 80
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 42636 =>  94.207.141.141 80
  Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 7837  =>  94.207.141.142
80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 7837  =>
94.207.141.142 80   Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 62271
=>  94.207.141.143 80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54
62271 =>  94.207.141.143 80   Fri Feb 25 07:14:56 2011 TCP
188.40.98.54 6908  =>  94.207.141.144 80   Fri Feb 25 07:14:59 2011 TCP
   188.40.98.54 6908  =>  94.207.141.144 80   Fri Feb 25 07:14:56 2011
TCP    188.40.98.54 29951 =>  94.207.141.145 80   Fri Feb 25 07:14:59
2011 TCP    188.40.98.54 29951 =>  94.207.141.145 80   Fri Feb 25
07:14:57 2011 TCP    188.40.98.54 10582 =>  94.207.141.146 80   Fri Feb
25 07:15:00 2011 TCP    188.40.98.54 10582 =>  94.207.141.146 80   Fri
Feb 25 07:14:57 2011 TCP    188.40.98.54 61463 =>  94.207.141.147 80
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 61463 =>  94.207.141.147 80
  Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 32072 =>  94.207.141.148
80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 32072 =>
94.207.141.148 80   Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 31807
=>  94.207.141.149 80   Fri Feb 25 07:15:00 2011 TCP    188.40.98.54
41404 =>  94.207.141.152 80   Fri Feb 25 07:15:00 2011 TCP
188.40.98.54 6669  =>  94.207.141.153 80   Fri Feb 25 07:14:55 2011 TCP
   188.40.98.54 24449 =>  94.207.141.172 80   Fri Feb 25 07:14:58 2011
TCP    188.40.98.54 24449 =>  94.207.141.172 80   Fri Feb 25 07:14:55
2011 TCP    188.40.98.54 19439 =>  94.207.141.173 80   Fri Feb 25
07:14:58 2011 TCP    188.40.98.54 19439 =>  94.207.141.173 80   Fri Feb
25 07:14:56 2011 TCP    188.40.98.54 55637 =>  94.207.141.174 80   Fri
Feb 25 07:14:59 2011 TCP    188.40.98.54 55637 =>  94.207.141.174 80
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 22382 =>  94.207.141.175 80
  Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 25961 =>  94.207.141.176
80   Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 49493 =>
94.207.141.177 80   Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 10996
=>  94.207.141.178 80   Fri Feb 25 07:14:59 2011 TCP    188.40.98.54
52247 =>  94.207.141.179 80   Fri Feb 25 07:14:59 2011 TCP
188.40.98.54 26122 =>  94.207.141.180 80   Fri Feb 25 07:15:00 2011 TCP
   188.40.98.54 44654 =>  94.207.141.181 80