[tor-relays] Ongoing scan from FDCServers block

justaguy justaguy at riseup.net
Wed Aug 27 18:48:08 UTC 2014


Hmm, FDC servers is known for doing bad things on tor
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
iirc this was on FDC servers too
On 2014-08-27 10:43, linenoiz at Safe-mail.net wrote:
> For the past week or so I've been seeing unsolicited echo replies coming from FDC servers block and one that looks like it is owned by China(?) Most of the entries are from 67.159.54.101 and I am seeing around one per minute. I verified by running tcpdump for a couple minutes (no longer, I'm not an illegal wiretapper!) that I'm not sending echo requests. IPTables is configured to drop and log this invalid traffic.
>
> Any idea what they are trying to accomplish? Some convoluted way of pinging me because they don't get an ICMP unreachable back? And why every minute?
>
> DENY IN=eth0 OUT= MAC=xxx SRC=67.159.54.101 DST=yyy LEN=40 TOS=0x08 PREC=0x20 TTL=55 ID=61817 PROTO=ICMP TYPE=0 CODE=0 ID=10249 SEQ=0
> DENY IN=eth0 OUT= MAC=xxx SRC=67.159.54.101 DST=yyy LEN=40 TOS=0x08 PREC=0x20 TTL=55 ID=61817 PROTO=ICMP TYPE=0 CODE=0 ID=58375 SEQ=0
> DENY IN=eth0 OUT= MAC=xxx SRC=67.159.54.102 DST=yyy LEN=40 TOS=0x08 PREC=0x20 TTL=55 ID=39417 PROTO=ICMP TYPE=0 CODE=0 ID=62498 SEQ=0
>
> DENY IN=eth0 OUT= MAC=xxx SRC=50.117.112.42 DST=yyy LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=28340 PROTO=ICMP TYPE=0 CODE=0 ID=30728 SEQ=0
> DENY IN=eth0 OUT= MAC=xxx SRC=50.117.112.42 DST=yyy LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=28334 PROTO=ICMP TYPE=0 CODE=0 ID=30728 SEQ=0
> DENY IN=eth0 OUT= MAC=xxx SRC=50.117.112.42 DST=yyy LEN=40 TOS=0x00 PREC=0x00 TTL=56 ID=28335 PROTO=ICMP TYPE=0 CODE=0 ID=54277 SEQ=0
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



More information about the tor-relays mailing list