[tor-relays] Tor Exit Node - DDOS
Steve Snyder
swsnyder at snydernet.net
Wed Aug 7 22:29:47 UTC 2013
This Benjamin Hodgetts is really on a tear. I got the same complaint
from 2 different ISPs today.
On 08/07/2013 04:00 PM, Kris wrote:
> I've been an end user of tor for a few years and finally as of last week
> purchased a virtualhost to run an exit relay.
>
> After a few days running smoothly, I received a forwarded abuse
> complaint from the hosting company from someone saying their are being
> DDOS'd by my IP.
>
> I'm prepared per the tor website regarding DMCA notifications, but
> haven't found much on how to deal with this situation. I have:
>
> * made it quite obvious that this is an exit node
> * reverse dns is tor-exit-node.nenticom.net
> * web server running on 8080/80 with the tor notification page
> * provide full real name and abuse at nenticom.net contact
> * notified the hosting company
> * applied the recommended exit policy per the "minimum harassment" post
>
> You can see most of this off Atlas (node: nenticom).
> https://atlas.torproject.org/#details/50D04704A5017C02CC63AFE4A66F05DF79ED81F3
>
>
> Can anyone provide a recommendation of how to respond to this notice
> (provided below)? Given the headers the original complainer filed it
> looks like someone is running benchmark software over tor.
>
> Maybe after explaining that I'm a tor exit node to the provider I can
> offer to block exiting to the IP block belonging to the original
> complainer?
>
>
>
> Notice from Hosting Provider
> ----------------------------
>
> Please review the following abuse complaint and provide us with a
> resolution:
>
> ******************************
> Hello,
>
> Over the last three days we have experienced a massive amounts of
> incoming HTTP connections from an IP address under your control as part
> of a DDOS attack.
>
> Can you please investigate the server/computer associated with this IP
> address as it is more than likely compromised and is now part of a BotNet.
>
> For your reference, all requests to our server from the IP in question
> are listed in the Apache logs as:
> "GET / HTTP/1.0" 500 11680 "-" "ApacheBench/2.3"
>
> The attackers IP address that appears to belong to you or your network
> is '192.241.230.170'. Please resolve this as soon as possible.
>
More information about the tor-relays
mailing list