[tor-relays] Intrusion Prevention System Software - Snort or Suricata

Tristan supersluether at gmail.com
Tue Oct 4 16:23:10 UTC 2016 

Wouldn't it be interesting if we could set up some kind of central "Tor
Abuse Center" where all the complaints go, and all the relay operators can
help respond to them. I suppose it would be pretty chaotic though...

On Oct 4, 2016 11:18 AM, "pa011" <pa011 at web.de> wrote:

> Yes its ISP - plus 10 times more fire-power both, Markus and me
> which is 10 times more work, sadly :-(
>
>
> Am 04.10.2016 um 18:12 schrieb Markus Koch:
> > Short answer: ISP
> >
> > I got 2 abuse mails (1 false positive) from Hostwinds in 4 months and
> > I get weekly mass reports from DigitalOcean.
> > And the thing that pisses me off is: Its all bots or Tax spam or other
> > stuff I got weeks/months ago. Different day, same shitty abuse mail.
> >
> > Markus
> >
> >
> > 2016-10-04 18:03 GMT+02:00 Tristan <supersluether at gmail.com>:
> >> I don't know what I'm doing different, because I only got 2 complaints
> in
> >> the last 2 months, and that was for SSH and SQL stuff.
> >>
> >>
> >> On Oct 4, 2016 11:01 AM, "pa011" <pa011 at web.de> wrote:
> >>>
> >>> Me too Markus -could fill a folder with that tax issue :-((
> >>> Costing a lot of time to answer and restrict the IPs
> >>>
> >>> Plus my ISP moaning with good reason: "It's not just about you, but
> you're
> >>> giving a bad reputation to one /21 and one /22 subnet. That's ~ 3000
> IPs
> >>> which are potentionaly endagered to be marked as source of malicious
> content
> >>> / blacklisted / whatever ... so you see, this is quite critical for
> us."
> >>>
> >>> Am 04.10.2016 um 17:48 schrieb Markus Koch:
> >>>> same shit here:
> >>>>
> >>>> Dear User,
> >>>> We are contacting you because of unusual activity coming from your IP
> >>>> address towards the IT infrastructure of the European Commission.
> >>>> In specific, since 03/10/2016, IP addresses 95.85.45.159 &
> >>>> 104.236.225.19 of Digital Ocean, located in the Netherlands (NL) and
> >>>> the USA respectively, have submitted a significantly large number of
> >>>> invalid VAT number requests as compared to the total number of
> >>>> requests (89,59% & 89,96% respectively) towards VAT numbers from a
> >>>> multiple of EU member States (MS) through the VIES on the Web service
> >>>> (http://ec.europa.eu/taxation_customs/vies/). For more information on
> >>>> Invalid VAT number requests please refer to FAQ, questions 7, 11, 12,
> >>>> 13 and 20 of the VIES on the WEB site
> >>>> (http://ec.europa.eu/taxation_customs/vies/faq.html).
> >>>> The scope of our team is to monitor on a daily basis the performance
> >>>> of the VIES-on-the-Web (VoW) service in order to ensure its
> >>>> performance in accordance with the standards agreed upon between EU's
> >>>> Directorate General for Taxation and Customs Union (DG TAXUD) and the
> >>>> EU Member States.
> >>>> Our objective is to secure constant and uninterrupted availability and
> >>>> flow of traffic (requests for VAT validation) at all times.
> >>>> Under this framework, our team intervenes whenever there is out of the
> >>>> ordinary, unusual and potentially suspicious use of the system that
> >>>> violates the rules of use as they are stated in the Specific
> >>>> disclaimer for this service, which is available at the VoW site
> >>>> (http://ec.europa.eu/taxation_customs/vies/disclaimer.html).
> >>>> Consequently, in order to allow flawless use of the service, we were
> >>>> obliged to block the access to VIES on the Web for the IP address
> >>>> 88.198.110.130.
> >>>> Following our action, we would like to know if you are aware of this
> >>>> situation. Furthermore, your cooperation and contribution is necessary
> >>>> in order to determine the reason for this occurrence.
> >>>> Please inform us if this behaviour is normal and if such, how often it
> >>>> should occur; we would then take action to unblock the traffic coming
> >>>> from the corresponding IP address assuming you will agree to follow a
> >>>> set ITSM VIES/Web Team
> >>>> "ITSM2 is a contracted support partner for the IT Service Management
> >>>> of the European Commission.
> >>>> This e-mail is a reply to your message sent to the
> >>>> TAXUD-VIESWEB at ec.europa.eu<mailto:TAXUD-VIESWEB at ec.europa.eu> e-mail.
> >>>> Answers provided by the contactor are on behalf and according to
> >>>> policy guidelines of DG TAXUD, but not binding for the European
> >>>> Commission."
> >>>>
> >>>> I am so done with it, I added
> >>>>
> >>>> ExitPolicy reject 147.67.136.103 # TAX SPAM
> >>>> ExitPolicy reject 147.67.136.21  # TAX SPAM
> >>>> ExitPolicy reject 147.67.119.103  # TAX SPAM
> >>>> ExitPolicy reject 147.67.119.3  # TAX SPAM
> >>>> ExitPolicy reject 147.67.136.3  # TAX SPAM
> >>>> ExitPolicy reject 147.67.119.21  # TAX SPAM
> >>>>
> >>>> Thats going on for months now and by all means, this is not free
> speech
> >>>> ...
> >>>>
> >>>> Markus.
> >>>>
> >>>>
> >>>>
> >>>> 2016-10-04 17:42 GMT+02:00 pa011 <pa011 at web.de>:
> >>>>> Am 04.10.2016 um 16:48 schrieb krishna e bera:
> >>>>>> On 04/10/16 08:48 AM, pa011 wrote:
> >>>>>>> One of my main ISP is going mad with the number of abuses he gets
> >>>>>>> from my Exits (currently most on port 80).
> >>>>>>> He asks me to install "Intrusion Prevention System Software" or
> >>>>>>> shutting down the servers.
> >>>>>>
> >>>>>> You can first ask him for a copy of the complaints in order to
> >>>>>> understand what sort of alleged abuses are taking place.  Are the
> >>>>>> complaints about spam or scraping or web server exploits or
> something
> >>>>>> else?
> >>>>>
> >>>>> I do get a copy of every complaint - they are unfortunately:
> >>>>>
> >>>>> - Http browser intrucion  -
> >>>>> /var/log/apache2/other_vhosts_access.log:soldierx.com:80
> xxx.xxx.xxx.xxx - -
> >>>>> [30/Sep/2016:11:14:34 -0400] "HEAD / HTTP/1.0" 302 192 "-"
> "Mozilla/5.0
> >>>>> (Windows; U; Windows NT 5.1; nl; rv:1.8.1.12)
> >>>>> Gecko/20080201Firefox/2.0.0.12"
> >>>>>
> >>>>> - invalid VAT number requests
> >>>>>
> >>>>> -recorded connection attempt(s) from your hosts to our honeypots
> >>>>>
> >>>>> - Issue: Source has attempted the following botnet activity: Semalt
> >>>>> Referrer    Spam Tor Exit Bot
> >>>>>
> >>>>> - botnet drone|Description: Ramnit botnet victim connection to
> sinkhole
> >>>>> details,
> >>>>>
> >>>>> - attackers used the method/service: *imap*
> >>>>>
> >>>>>> You can change your exit policy to reduce likelihood of complaints:
> >>>>>> https://blog.torproject.org/blog/tips-running-exit-node
> >>>>>
> >>>>> I know, but I hardly like to block port 80
> >>>>>
> >>>>>>> As far as I understand implementing such a software is not going
> >>>>>>> together with Tor - am I right?
> >>>>>>
> >>>>>> If your exit nodes tamper with traffic in any way they will be
> >>>>>> labelled
> >>>>>> as Bad Exit. (Tor tries to be net neutral.)
> >>>>>> https://trac.torproject.org/projects/tor/wiki/doc/badRelays
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> tor-relays mailing list
> >>>>>> tor-relays at lists.torproject.org
> >>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >>>>>>
> >>>>> _______________________________________________
> >>>>> tor-relays mailing list
> >>>>> tor-relays at lists.torproject.org
> >>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >>>> _______________________________________________
> >>>> tor-relays mailing list
> >>>> tor-relays at lists.torproject.org
> >>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >>>>
> >>> _______________________________________________
> >>> tor-relays mailing list
> >>> tor-relays at lists.torproject.org
> >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >>
> >>
> >> _______________________________________________
> >> tor-relays mailing list
> >> tor-relays at lists.torproject.org
> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >>
> > _______________________________________________
> > tor-relays mailing list
> > tor-relays at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161004/a41ba738/attachment-0001.html>

More information about the tor-relays mailing list