[tor-relays] Dealing with OVH Abuse Complaints

Michael Armbruster tor at armbrust.me
Wed Oct 5 09:38:40 UTC 2016 

On 2016-10-05 at 09:55, teor wrote:
> Hi,
> 
> Does anyone have experience running a long-lived Exit on OVH / So You Start?
> 
> We've just received a threat to shut down our OVH Exit due to abuse complaints.
> We were responding to these automated reports (mainly SSH brute force) with template responses, offering to block the destination IP and port if the remote site wanted us to. We never received a reply.
> 
> What does OVH expect its Exit operators to do with complaints?
> Should we have blocked each complaining IP address as soon as we received a complaint?
> 
> Tim
> 
> T
> 
> --
> Tim Wilson-Brown (teor)
> 
> teor2345 at gmail dot com
> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
> ricochet:ekmygaiu4rzgsk6n
> xmpp: teor at torproject dot org
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 

Hi Tim,

I am hosting a Tor exit node on kimsufi (also a company of OVH, it's
very similar to So You Start) and got two complaints from them.

The first one was a 4K port scan on port 10000 done via my exit node and
they said, they'll have to shut down the server if it happens again. I
responded to that incident via mail that I blocked port 10000 and got no
answer so far (that was about 2 months ago).

Currently, only a few days/weeks back, they sent another abuse report to
my mail address, 5K port scans on port 22. This time around, they put my
server into recovery mode (read-only) to prevent further "hacking
attacks" as they call it. I reset the boot mode (Netboot in your
customer interface btw) to normal HDD boot and blocked port 22 via exit
policy, but this time I didn't sent an email to them, as they didn't
answer my first one.

Abuse complaints from other companies or individuals were never sent to
me though if there were any on OVH's side. Those two incidents were
automatic reports and detections from OVH's anti-abuse/anti-hacking
infrastructure.

Best,
Michael

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161005/918d6633/attachment.sig>

More information about the tor-relays mailing list