[tor-relays] abuse reports from shadowserver.org
Mike Perry
mikeperry at fscked.org
Sun Mar 20 01:16:45 UTC 2011
Thus spake Alexander Bernauer (alex-tor at copton.net):
> my ISP keeps on receiving abuse reports from shadowserver.org. They
> claim that an IRC bot operates from the IP that belongs to my tor exit.
>
> The strange thing is that my exit policy only allows web and mail ports.
> Furthermore, the IPs of the shadowserver honeypots have a ptr entry for
> *.sinkhole.shadowserver.org.
Hrmm. Based on your snippets of mails you pasted on or-talk, it
appears that a subset of the shadowserver folks are ideological
zealots and crazed vigilantes. We've dealt with their flavor of lunacy
before, in the form of the various "bribe me to get off my list or I
will blackhole your entire netblock" DNSRBLs.
It is quite possible that lunatics like these will just make up abuse
reports and send them to ISPs that look like they might cave. It is
very interesting that our higher bandwidth exits that *do* exit to IRC
are not hearing from them right now.
History has shown that the Internet as a whole usually learns to
ignore nutballs. AFAIK, all of the "collateral damage" DNSRBLs are
completely unused these days. Of course, that doesn't stop the
nutballs from being really annoying in the short term :/.
> So, I could block their servers either by means of the exit policy or
> with iptables. Which one would you prefer?
What is their network topology like? Do they cycle through their
honeypots? iptables is especially bad if you have the situation where
what was once a honeypot one week turns into a legitimate server the
next.
OTOH, exit policy is bad if you end up with a ton of entries in it...
> I additionally wanted to ask here if there is any experience with
> shadowserver in this regard?
>
> Explaining the issue to my ISP failed. They keep on getting nervous.
This may be an issue. If the zealots believe that they can intimidate
your ISP to knock you offline, they may keep sending nonsense reports
to do so, declaring victory that one more tor node bites the dust...
Not sure what to tell you about this. If they succeed, perhaps it's
just new ISP time? There are a lot of crazies out there, not just
these guys..
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20110319/fbcc1f29/attachment.pgp>
More information about the tor-relays
mailing list