[tor-relays] Traffic in port 9050 in a relay (denial of service attack?)
jj tor
jjproyects at gmail.com
Tue Nov 5 19:10:09 UTC 2013
Hello again,
indeed, the port 9050 is closed, but not filtered. I've set up a drop rule
in the VPS firewall( Parallels Plesk Panel) on this port, but it's not
working fine.
I am amazed by all the amount of this kind of traffic, more than 700
packets/second. According to Kent Backman, this is the clickfraud net
called "Rotpoi$on" (a lot of info at
https://b.kentbackman.com/2013/04/15/rotpoion-botnet-powered-by-thousands-of
-servers/)
Maybe I'll be able to block all these incoming connections, but I'm afraid
that overall relay performance will decrease drastically because all the
filtering work...
The relay--> Atlas: newTorThird :
https://atlas.torproject.org/#details/ACED456D102F634F8DB3CBE8BC9A96F2569EC33C
2013/11/5 Paritesh Boyeyoko <parity.boy at gmail.com>
> @jj tor
>
>
>
> The fact that your relay is refusing connections says that the port isn't
> open, which is a good thing.
>
>
>
> I suspect that persons unknown have port scanned your VPS, realised that
> you have Tor running (on standard ports) and is speculatively using a bot
> to (hopefully) connect to the SOCKS interface.
>
>
>
> I would
>
>
>
> a) move the Tor relay to non-standard ports
>
> b) use iptables to drop all incoming connections apart from the (new) Tor
> ports and shell access.
>
>
>
> Best,
>
> --
>
> Parity
>
> parity.boy at gmail.com
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20131105/8de0bf8a/attachment.html>
More information about the tor-relays
mailing list