Hi,
On the VPS where I run a couple of bridges, I often see the following:
tcp6 0 0 aaa.bbb.cc.dd:443 194.14.247.1:18913 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 54.93.50.35:18457 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.68.0.1:29917 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.68.0.1:23629 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.247.1:8846 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.165.1:11833 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 54.93.50.35:20856 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.247.1:38085 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.246.1:60957 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.165.1:10471 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.68.0.1:60852 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.246.1:45321 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.246.1:43384 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.165.1:31634 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.68.0.1:29895 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 54.93.50.35:51774 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 54.93.50.35:27223 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.246.1:11116 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.0.1:31465 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 54.93.50.35:30646 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.246.1:11117 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.165.1:46609 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.247.1:57978 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.68.0.1:59133 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 54.93.50.35:27371 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.68.0.1:13364 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.165.1:50336 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.165.1:34511 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:80 aa.bb.ccc.dd:59349 ESTABLISHED tcp6 0 0 aaa.bbb.cc.dd:443 194.14.0.1:20251 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.68.0.1:11573 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.0.1:37358 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 54.93.50.35:44226 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 54.93.50.35:59194 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.14.165.1:38300 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.68.0.1:18209 SYN_RECV
Is this normal probing by the script kiddies or is it specific because I'm running the bridges.
Cheers.
On Mon, 2020-04-06 at 14:04 -0700, Eddie wrote:
On the VPS where I run a couple of bridges, I often see the following:
tcp6 0 0 aaa.bbb.cc.dd:443 194.14.247.1:18913 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 54.93.50.35:18457 SYN_RECV tcp6 0 0 aaa.bbb.cc.dd:443 194.68.0.1:29917 SYN_RECV
Is this normal probing by the script kiddies or is it specific because I'm running the bridges.
I'd say the former, it is most probably regular Internet background noise. Regular relays and especially exit relays are a much bigger target than bridges (whose IP addresses are not conveniently listed). This kind of port scanning should be quite harmless as long as you're not exposing vulnerable software.
Imre
tor-relays@lists.torproject.org