Again: abuse email for non-exit relay (masergy)
Hi, got multiple abuse in the last 2 weeks. 2 relays with 2 IP run on the server. Someone is always hammering my OR port on one IP. (37.157.255.118:9002) https://metrics.torproject.org/rs.html#details/BD2A34ADE4E603A272FAAD23AEF38... https://metrics.torproject.org/rs.html#details/8EE44717FA55705C12086F3ECD1F8... What can I do? Found that in the archive: https://lists.torproject.org/pipermail/tor-relays/2017-September/013030.html the 5th complaint: ############################################################################################################## To Whom it May Concern, You have a system on your network that is actively scanning and/or attacking external sites on the Internet. This can come from many sources and because it is often difficult to detect this activity, we are sending this E-mail in an attempt to help you solve the problem. We have detected your system with an IP of, 37.157.255.118, scanning a client we monitor. This was not a short attack but a prolonged scan and/or probe that was designed to find and intrude into the target network. This may be someone on your network who is actively trying to hack others. This person may be a legitimate user on your network or it may be that this system has been compromised and is being used by someone to hack others. It is also likely that the system is running automated tools that have been installed to perform these actions without any human intervention. Below is the information about the attack. Keep in mind that the source IP of our client has been sanitized for anonymity. Date: 04/30/2020 Time: 11:05:37 Time Zone: America/Chicago Source(s): 37.157.255.118 Type of Attack/Scan: Generic Hosts: 10.10.10.182 Log: 37.157.255.118:9002 > 10.10.10.182:24562 Possible Cause: Thank you for your attention to this matter, Masergy email: esp@masergy.com -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
That is really unhelpful of them to state Type of Attack/Scan: Generic Hosts: 10.10.10.182 which is non-routable address. Something on their LAN is wrong. You cannot even respond by blocking their actual WAN IP in torrc. Ask for the real WAN IP of their network so you can block the attack -----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of lists@for-privacy.net Sent: 03 May 2020 21:16 To: tor-relays@lists.torproject.org Subject: [tor-relays] Again: abuse email for non-exit relay (masergy) Hi, got multiple abuse in the last 2 weeks. 2 relays with 2 IP run on the server. Someone is always hammering my OR port on one IP. (37.157.255.118:9002) https://metrics.torproject.org/rs.html#details/BD2A34ADE4E603A272FAAD23AEF38... https://metrics.torproject.org/rs.html#details/8EE44717FA55705C12086F3ECD1F8... What can I do? Found that in the archive: https://lists.torproject.org/pipermail/tor-relays/2017-September/013030.html the 5th complaint: ############################################################################################################## To Whom it May Concern, You have a system on your network that is actively scanning and/or attacking external sites on the Internet. This can come from many sources and because it is often difficult to detect this activity, we are sending this E-mail in an attempt to help you solve the problem. We have detected your system with an IP of, 37.157.255.118, scanning a client we monitor. This was not a short attack but a prolonged scan and/or probe that was designed to find and intrude into the target network. This may be someone on your network who is actively trying to hack others. This person may be a legitimate user on your network or it may be that this system has been compromised and is being used by someone to hack others. It is also likely that the system is running automated tools that have been installed to perform these actions without any human intervention. Below is the information about the attack. Keep in mind that the source IP of our client has been sanitized for anonymity. Date: 04/30/2020 Time: 11:05:37 Time Zone: America/Chicago Source(s): 37.157.255.118 Type of Attack/Scan: Generic Hosts: 10.10.10.182 Log: 37.157.255.118:9002 > 10.10.10.182:24562 Possible Cause: Thank you for your attention to this matter, Masergy email: esp@masergy.com -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom! _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I got a *bunch* (harassment-level) of telephone calls from my ISP similar to this. They refused to do anything by email, and wouldn't tell me anything more about the supposed port-scanning attacks. They just kept asking me to "make sure Windows and my router firmware were up to date." (No Windows, no router.) They kept saying that I was port-scanning a machine in the 10.x address space. When I finally got someone who knew enough to know that wasn't a routable address, they *still* couldn't tell me anything about the nature of the complaint. I finally had to threaten legal action, at which point they *still* refused to disclose anything about the complaint, but at least stopped calling me. The *hours* on the phone revealed only two things: the complaint was originating from somewhere in the Chicago (US) area, and the "port" I was "scanning" was always 9002. My relay was also a non-exit. Needless to say, I was monitoring my network traffic and there was no "port scanning" going on. My best guess is that some kindergartener in a sysadmin suit (or incompetent security suite vendor, if that's not redundant) configured a firewall to automatically report accesses via port 9002 as port scanning and they have a relay behind said firewall. As much as I would have welcomed the opportunity to educate and assist the operator of this misconfigured security system, my ISP would never divulge any contact information. Just a data point. --Ron
On 03.05.2020 23:36, ronqtorrelays@risley.net wrote:
Fortunately, the admins from my home ISP have a clue. They even mirror torproject.org and the CCC. http://debian.netcologne.de/ If something is missing, you just have to report and they will set it up.
guess is that some kindergartener in a sysadmin suit
lol This word comes from Germany. 'Kindergärtner' -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
On Sun, May 03, 2020 at 10:15:47PM +0200, lists@for-privacy.net wrote:
The person sending you this abuse complaint is deeply confused. My guess is that they are running some automated "attack detector" software, and the software is buggy and telling them things that are wrong. If your relay were making connections to their user, it would not be using port 9002. It would be using some high-numbered port for the outgoing connection. So what's likely happening here instead is that *their* user is contacting *your* relay -- that is, the person they call "our client" is a Tor user using your relay -- but their automated attack detector is not seeing the initial connection from their user to your relay, and it's misinterpreting the response from your relay to the user as an outgoing connection. I get these sort of automated abuse complaints a few times a year to moria1, my directory authority, and in many cases it's people running a Tor client or relay somewhere, and that somewhere's ISP really wants me to stop "attacking" their user, when actually what's happening is that their user contacts my relay a lot. So in summary: there is nothing to fix, because the complaint is wrong about what's going on. Whether you should respond depends on whether you need to answer your own hosting provider to keep them happy, and/or whether you want to try to engage with the stranger on the internet who doesn't yet understand that their own reporting software is buggy. :) Hope that helps, --Roger
On 03.05.2020 23:31, Roger Dingledine wrote: First of all thank you all. I have already written to masergy that they should send me logs and that the problem comes from them. If necessary, I have to block all masergy IP's on the firewall. But their AS is huge, does a lot of work
Whether you should respond depends on whether you need to answer your own hosting provider to keep them happy,
I have to make my provider happy. myLoc/Servdiscount is not amused by my traffic. More than 100TB per server which costs only 23-32Eur/month. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!
Hi there, I got the same complaints for my non-exit-relays running at myloc in the past. I think I got two of them within the last 6 years, always responded asking for more details, but they never explained what's wrong from their point of view. I think it's some IDS within their network reporting connections from their clients to the tor network as malicious and automatically sending abuse-reports. I explained that I requested more information but never got any, the case was then closed. I used to work there years ago and established the abuse-handling-process. As long as you explain it to them everything should be fine. The abuse-mails are forwarded to you automatically and only if you don't respond at all and more complaints keep arriving for your ip your server could be suspended automatically. They would not suspend your server for one incomprehensible bogus-complaint, but you should reply nevertheless reply to keep the counters for the automated abuse-handling low. Regards cxx 4. Mai 2020 00:29, lists@for-privacy.net schrieb:
participants (6)
-
cxx -
gerard@bulger.co.uk -
lists@for-privacy.net -
niftybunny -
Roger Dingledine -
ronqtorrelays@risley.net