[tor-relays] Exit relays abused to attack Google services

UDN Tor tor-operator at urdn.com.ua
Wed Feb 2 00:19:36 UTC 2022 

Google is now sending abuse reports complaining of DDoS attacks against
their services. While they believe the IPs are participating in a
botnet, it is clear that they are Tor exit relays.

I don't know why they are sending us the report after the attacks have
ended. Besides, since Google services are unusable over Tor, this
should not have caused them much damage.

I suspect the attacker is trying to get relays shut down by triggering
Google reports that would scare off the ISPs.

If you are an ISP and you have received the same report, please let me
know. I'd like to know if this was global or if we've been "selected".

> From: ddos-reports at google.com
> To: abuse at urdn.com.ua
> Subject: [#zMto] DDoS from your IPs to Google from 2022-01-28 to
> 2022-01-31
> Date: Tue, 01 Feb 2022 20:22:42 +0000
> 
> We observed IPs under your control participating in DDoS attacks
> targeting Google services, including a prolonged DDoS attack from
> January 28-31 against the Google Search Console.
> 
> The attacks were Layer 7 / HTTP request floods.  Your participating
> IPs are listed below, along with the stop time in UTC and targeted
> Google IPs.  We request that you enforce your Acceptable Use Policy
> against these customers.
> 
> +-----------------+-----------------+----------+---------------------+
> | Source          | Destination     | DestPort | Time_UTC            |
> +-----------------+-----------------+----------+---------------------+
> | 193.218.118.62  | 142.250.180.227 | 443      | 2022-01-31 15:55:01 |
> | 193.218.118.90  | 142.250.180.195 | 443      | 2022-01-31 15:53:28 |
> | 193.218.118.100 | 172.217.19.99   | 443      | 2022-01-31 14:43:09 |
> | 193.218.118.101 | 142.250.180.227 | 443      | 2022-01-31 17:32:54 |
> | 193.218.118.125 | 142.250.180.227 | 443      | 2022-01-31 15:55:28 |
> | 193.218.118.145 | 142.250.180.195 | 443      | 2022-01-31 15:55:30 |
> | 193.218.118.147 | 142.251.39.35   | 443      | 2022-01-31 15:41:36 |
> | 193.218.118.155 | 142.250.180.195 | 443      | 2022-01-31 13:45:43 |
> | 193.218.118.156 | 142.250.180.227 | 443      | 2022-01-31 15:57:52 |
> | 193.218.118.158 | 142.250.180.227 | 443      | 2022-01-31 18:41:34 |
> | 193.218.118.167 | 142.250.201.195 | 443      | 2022-01-31 15:56:53 |
> | 193.218.118.182 | 142.251.39.3    | 443      | 2022-01-31 17:31:57 |
> | 193.218.118.183 | 142.250.180.227 | 443      | 2022-01-31 17:42:40 |
> | 193.218.118.231 | 142.250.180.227 | 443      | 2022-01-31 17:43:08 |
> +-----------------+-----------------+----------+---------------------+
> 
> Note we believe some of these IPs are part of the Meris or Dvinis
> botnets.  If you are a residential Internet service provider, it is
> possible that your customers' routers themselves have been
> compromised.  You should research the Meris botnet and take
> appropriate actions to have them secure their CPE (customer-premises
> equipment).
> 
> -- 
> Security Reliability Engineering :: Google :: AS15169

More information about the tor-relays mailing list