[tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)

Matt Joyce toradmin at mttjocy.co.uk
Fri Mar 29 12:36:39 UTC 2013


On 28/03/13 17:21, grarpamp wrote:
>> New to the list, I run a Tor exit node from my small cable modem connection
>> in Honolulu, as well as for a short time on a few on VPS's to prove to
>> Over the last several weeks, I have collected substantial evidence
>> indicating that a botnet is degrading the Tor anonymity network in its
>> entirety via a sustained denial of service attack. I believe it is made to
>> blend in with all the other crazy packets that an exit node generates, but
>> it is pretty easy to spot if you just look at the RST's or drops coming off
>> your node, all from a static unused destination port.  If you change the IP
>> address of your node, it will take about 90 minutes before they identify
>> your IP and you start getting attacked again.
>> Do a whois lookup on a few of
>> those VPS IP addresses and you will see the country involved.
>> Wondering what other folks are seeing with their relays.
>> UTC DATE        UTC TIME        IP      SRC-ISP SPT     DST     DST-ISP DPT
>> Flags
>> 2013-03-28      7:33:38 173.208.95.126  Nobis Technology Group, LLC     2571
>> 66.8.214.196    Road Runner     8118    [S]
> I believe 8118 is polipo/privoxy gateway and that you are simple seeing
> usual internet 'bot' scans for that proxy and box is returning normal closed
> reset to syns.
>
> You may collate this flow data by ip and report the unwanted traffic to the
> arin netblock and ptr domain contacts. Or ignore it as waste of time if
> packet rate is acceptable loss to internet noise.
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
There is definitely a large number of hits on the privoxy port that does
seem to correlate with being in a published directory.  That said lots
of tor users also use privoxy so it makes sense that those looking for
open proxies may well be prioritizing tor relay IP addresses for
scanning attempting to find poorly configured privoxy instances that can
be used for arbitrary connections.  Scanning of tor nodes also seems to
be higher than background in general especially at higher bandwidth
levels but this is frequently the case for any kind of server or other
node that stands out as clearly controlling larger amounts of bandwidth
because they are naturally more valuable targets for a variety of
criminal activities (DDoS, Spamming etc).

That said while the ports vary I believe that a large amount of the high
port activity is in fact probably related to such as bittorrent, namely
users attempting to use BT over tor, client detecting the exit's IP as
it's public IP and reporting that to the tracker resulting in large
numbers of machines attempting to make TCP connections with the system,
usually significant UDP traffic also.

In general I'd say that getting a large amount of hits on your firewall
is pretty much expected as a result of this.  For a DDoS by far a more
effective tactic would be to hit an open port and all relays are
advertising at least one of these so I do not believe this is a DDoS
there are much more effective methods to perform a DDoS attack on the
network including several that are not merely more effective due to
amplification but also would be a lot more subtle because they would
blend into the normal traffic better using standard protocols and
features available on the network, need I mention DNS for example.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 295 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20130329/98a8dbca/attachment.pgp>


More information about the tor-relays mailing list