[tor-relays] Exit relays abused to attack Google services

kantorkel at hamburg.freifunk.net kantorkel at hamburg.freifunk.net
Wed Feb 2 11:10:20 UTC 2022 

Am 2/2/22 um 01:19 schrieb UDN Tor via tor-relays:
> Google is now sending abuse reports complaining of DDoS attacks against
> their services. While they believe the IPs are participating in a
> botnet, it is clear that they are Tor exit relays.
> 
> I don't know why they are sending us the report after the attacks have
> ended. Besides, since Google services are unusable over Tor, this
> should not have caused them much damage.
> 
> I suspect the attacker is trying to get relays shut down by triggering
> Google reports that would scare off the ISPs.
> 
> If you are an ISP and you have received the same report, please let me
> know. I'd like to know if this was global or if we've been "selected".

We received 2 DDoS reports in Oct 2021 and 3 automated scraping notices in Nov and Dec 2021.

> We are seeing automated scraping of Google Web Search from a large
> number of your IPs/VMs.  Automated scraping violates our /robots.txt
> file and also our Terms of Service.  We request that you enforce your
> Acceptable Use Policy against these customers.
Best
kantorkel, Artikel10

> 
>> From: ddos-reports at google.com
>> To: abuse at urdn.com.ua
>> Subject: [#zMto] DDoS from your IPs to Google from 2022-01-28 to
>> 2022-01-31
>> Date: Tue, 01 Feb 2022 20:22:42 +0000
>>
>> We observed IPs under your control participating in DDoS attacks
>> targeting Google services, including a prolonged DDoS attack from
>> January 28-31 against the Google Search Console.
>>
>> The attacks were Layer 7 / HTTP request floods.  Your participating
>> IPs are listed below, along with the stop time in UTC and targeted
>> Google IPs.  We request that you enforce your Acceptable Use Policy
>> against these customers.
>>
>> +-----------------+-----------------+----------+---------------------+
>> | Source          | Destination     | DestPort | Time_UTC            |
>> +-----------------+-----------------+----------+---------------------+
>> | 193.218.118.62  | 142.250.180.227 | 443      | 2022-01-31 15:55:01 |
>> | 193.218.118.90  | 142.250.180.195 | 443      | 2022-01-31 15:53:28 |
>> | 193.218.118.100 | 172.217.19.99   | 443      | 2022-01-31 14:43:09 |
>> | 193.218.118.101 | 142.250.180.227 | 443      | 2022-01-31 17:32:54 |
>> | 193.218.118.125 | 142.250.180.227 | 443      | 2022-01-31 15:55:28 |
>> | 193.218.118.145 | 142.250.180.195 | 443      | 2022-01-31 15:55:30 |
>> | 193.218.118.147 | 142.251.39.35   | 443      | 2022-01-31 15:41:36 |
>> | 193.218.118.155 | 142.250.180.195 | 443      | 2022-01-31 13:45:43 |
>> | 193.218.118.156 | 142.250.180.227 | 443      | 2022-01-31 15:57:52 |
>> | 193.218.118.158 | 142.250.180.227 | 443      | 2022-01-31 18:41:34 |
>> | 193.218.118.167 | 142.250.201.195 | 443      | 2022-01-31 15:56:53 |
>> | 193.218.118.182 | 142.251.39.3    | 443      | 2022-01-31 17:31:57 |
>> | 193.218.118.183 | 142.250.180.227 | 443      | 2022-01-31 17:42:40 |
>> | 193.218.118.231 | 142.250.180.227 | 443      | 2022-01-31 17:43:08 |
>> +-----------------+-----------------+----------+---------------------+
>>
>> Note we believe some of these IPs are part of the Meris or Dvinis
>> botnets.  If you are a residential Internet service provider, it is
>> possible that your customers' routers themselves have been
>> compromised.  You should research the Meris botnet and take
>> appropriate actions to have them secure their CPE (customer-premises
>> equipment).
>>
>> -- 
>> Security Reliability Engineering :: Google :: AS15169
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list