[tor-relays] Botnet

teor teor2345 at gmail.com
Tue Aug 25 14:17:35 UTC 2015

> On 25 Aug 2015, at 23:54, Heiko Tropartz <butary at gmx.de> wrote:
> Hello,
> my ISP deactivated the network traffic of my tor-exit relay because the server is part of the following botnets:
> - Wapomi
> - AldiBot
> - Darkness Bot
> In the last 2 hours I analysed the sparse log files and checked the system by checksums I created after the installation.
> The linux server is clean.
> I send an answer to my ISP, that the server is only an exit-relay for Tor traffic. I also attached a list security software including configurations that I installed.
> But the network traffic keeps blocked until I guarantee for a secure network traffic.
> Can someone advise me what to do?
> Any tips and hints?

It's unfortunate your provider doesn't understand the concept of an overlay network, or even the concept of a proxy.

If they are going to continue to judge you by your traffic, here's how you can change the traffic allowed through your exit:

If the botnets connect to particular IP addresses or ports, you can block those in your Tor Exit policy or server firewall.

Alternately, if the complainants / honeypots are on particular IPs, you can block those.

You might have to ask your ISP what IPs or ports are generating the complaints.

Tim (teor)

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
pgp 0xABFED1AC

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150826/f0487a63/attachment.html>

More information about the tor-relays mailing list