[tor-relays] Network Scan through Tor Exit Node (Port 80)

Bianco Veigel binco at zivillian.de
Fri Feb 25 16:32:11 UTC 2011


Today I got the second abuse mail within two weeks from my hosting
provider. They forced me to take down the exit node, otherwise they will
shutdown my server.

How could I detect such a scan and take counter measures to prevent a
network scan through tor? I've thougt about Snort, but I've never used
it before. The exit node is running in a Xen-vm, behind a pfSense firewall.

I've attached the report from the abuse mail. Does anyone have an idea,
what steps should/could be taken?

Thanks in advance,

Bianco Veigel

----- attachment -----

##########################################################################
#               Netscan detected from host    188.40.98.54               #
##########################################################################

time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Fri Feb 25 06:53:15 2011 TCP    188.40.98.54 45237 =>  138.160.29.194 20019
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 27681 =>   94.207.140.89 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 6869  =>   94.207.140.93 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 33258 =>   94.207.140.94 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 53464 =>   94.207.140.95 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 31041 =>   94.207.140.96 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 6299  =>   94.207.140.97 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 40964 =>   94.207.140.98 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 8703  =>   94.207.140.99 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 56759 =>  94.207.140.187 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 26247 =>  94.207.140.227 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 26247 =>  94.207.140.227 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 27847 =>  94.207.140.228 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 27847 =>  94.207.140.228 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 1219  =>  94.207.140.229 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 1219  =>  94.207.140.229 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 38929 =>  94.207.140.230 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 38929 =>  94.207.140.230 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 62958 =>  94.207.140.235 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 46469 =>  94.207.140.236 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 2704  =>  94.207.140.237 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 17272 =>   94.207.141.12 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 17272 =>   94.207.141.12 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 32482 =>   94.207.141.13 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 32482 =>   94.207.141.13 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 55860 =>   94.207.141.14 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 55860 =>   94.207.141.14 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 43390 =>   94.207.141.15 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 43390 =>   94.207.141.15 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 31712 =>   94.207.141.16 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 31712 =>   94.207.141.16 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 29316 =>   94.207.141.17 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 29316 =>   94.207.141.17 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 5286  =>   94.207.141.18 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 5286  =>   94.207.141.18 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 45139 =>   94.207.141.19 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 45139 =>   94.207.141.19 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 25311 =>   94.207.141.20 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 25311 =>   94.207.141.20 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 3675  =>   94.207.141.21 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 3675  =>   94.207.141.21 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 51753 =>   94.207.141.22 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 51753 =>   94.207.141.22 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 8993  =>   94.207.141.23 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 8993  =>   94.207.141.23 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 48305 =>   94.207.141.24 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 25717 =>   94.207.141.25 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 15142 =>   94.207.141.26 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 24618 =>   94.207.141.27 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 43060 =>   94.207.141.28 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 45003 =>   94.207.141.45 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 18691 =>   94.207.141.48 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 48452 =>   94.207.141.60 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 48452 =>   94.207.141.60 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 37237 =>   94.207.141.61 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 37237 =>   94.207.141.61 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 39153 =>   94.207.141.62 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 10678 =>   94.207.141.63 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 23127 =>   94.207.141.64 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 10755 =>   94.207.141.65 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 13206 =>   94.207.141.66 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 32657 =>   94.207.141.67 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 1909  =>   94.207.141.68 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 3475  =>   94.207.141.69 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 3475  =>   94.207.141.69 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 1810  =>   94.207.141.70 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 1810  =>   94.207.141.70 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 52358 =>   94.207.141.71 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 3828  =>   94.207.141.72 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 46151 =>   94.207.141.73 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 17930 =>   94.207.141.74 80   
Fri Feb 25 07:14:55 2011 TCP    188.40.98.54 4025  =>  94.207.141.103 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 4025  =>  94.207.141.103 80   
Fri Feb 25 07:14:55 2011 TCP    188.40.98.54 48216 =>  94.207.141.104 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 48216 =>  94.207.141.104 80   
Fri Feb 25 07:14:55 2011 TCP    188.40.98.54 61033 =>  94.207.141.105 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 61033 =>  94.207.141.105 80   
Fri Feb 25 07:14:55 2011 TCP    188.40.98.54 35460 =>  94.207.141.106 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 35460 =>  94.207.141.106 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 34686 =>  94.207.141.107 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 34686 =>  94.207.141.107 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 8517  =>  94.207.141.108 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 8517  =>  94.207.141.108 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 34989 =>  94.207.141.109 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 16795 =>  94.207.141.110 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 54679 =>  94.207.141.111 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 36103 =>  94.207.141.112 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 59119 =>  94.207.141.113 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 29831 =>  94.207.141.114 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 24490 =>  94.207.141.115 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 8880  =>  94.207.141.116 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 43624 =>  94.207.141.117 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 31266 =>  94.207.141.118 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 33438 =>  94.207.141.119 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 43359 =>  94.207.141.120 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 8168  =>  94.207.141.121 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 36716 =>  94.207.141.122 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 5648  =>  94.207.141.123 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 57277 =>  94.207.141.124 80   
Fri Feb 25 07:14:55 2011 TCP    188.40.98.54 20586 =>  94.207.141.134 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 20586 =>  94.207.141.134 80   
Fri Feb 25 07:14:55 2011 TCP    188.40.98.54 29953 =>  94.207.141.135 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 29953 =>  94.207.141.135 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 10770 =>  94.207.141.136 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 10770 =>  94.207.141.136 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 4466  =>  94.207.141.137 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 4466  =>  94.207.141.137 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 27801 =>  94.207.141.138 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 27801 =>  94.207.141.138 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 14288 =>  94.207.141.139 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 14288 =>  94.207.141.139 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 11846 =>  94.207.141.140 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 11846 =>  94.207.141.140 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 42636 =>  94.207.141.141 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 42636 =>  94.207.141.141 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 7837  =>  94.207.141.142 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 7837  =>  94.207.141.142 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 62271 =>  94.207.141.143 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 62271 =>  94.207.141.143 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 6908  =>  94.207.141.144 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 6908  =>  94.207.141.144 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 29951 =>  94.207.141.145 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 29951 =>  94.207.141.145 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 10582 =>  94.207.141.146 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 10582 =>  94.207.141.146 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 61463 =>  94.207.141.147 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 61463 =>  94.207.141.147 80   
Fri Feb 25 07:14:57 2011 TCP    188.40.98.54 32072 =>  94.207.141.148 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 32072 =>  94.207.141.148 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 31807 =>  94.207.141.149 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 41404 =>  94.207.141.152 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 6669  =>  94.207.141.153 80   
Fri Feb 25 07:14:55 2011 TCP    188.40.98.54 24449 =>  94.207.141.172 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 24449 =>  94.207.141.172 80   
Fri Feb 25 07:14:55 2011 TCP    188.40.98.54 19439 =>  94.207.141.173 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 19439 =>  94.207.141.173 80   
Fri Feb 25 07:14:56 2011 TCP    188.40.98.54 55637 =>  94.207.141.174 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 55637 =>  94.207.141.174 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 22382 =>  94.207.141.175 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 25961 =>  94.207.141.176 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 49493 =>  94.207.141.177 80   
Fri Feb 25 07:14:58 2011 TCP    188.40.98.54 10996 =>  94.207.141.178 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 52247 =>  94.207.141.179 80   
Fri Feb 25 07:14:59 2011 TCP    188.40.98.54 26122 =>  94.207.141.180 80   
Fri Feb 25 07:15:00 2011 TCP    188.40.98.54 44654 =>  94.207.141.181 80


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6109 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20110225/b6816af0/attachment-0001.bin>


More information about the tor-relays mailing list