[tor-relays] Receiving abuse reports for Non-Exit Relay

Tortue tortue at z3ven.nl
Tue Aug 1 14:39:32 UTC 2023 

Hi John,

Would it be possible that another device on your network is responsible for the network scanning? If you have an infected PC for instance, your provider would not see the difference.

Regards, Paul


------- Original Message -------
Op donderdag 27 juli 2023 om 21:54 schreef John Crow via tor-relays <tor-relays at lists.torproject.org>:


> Hello,
> 

> It is honestly still puzzling to me considering that the relay wasn’t compromised or misconfigured.
> 

> If you or anyone wants to check out the reports
> https://www.abuseipdb.com/check/23.132.184.31
> 

> 

> On Wed, Jul 26, 2023 at 2:16 PM, mpan - tor-1qnuaylp at mpan.pl <tor-1qnuaylp_at_mpan_pl_zcbqwoytkh at simplelogin.co> wrote:
> 

> > > In the past 24 hrs, I have been receiving complaints from my hosting provider that they're receiving hundreds of abuse reports related to port scanning. I have no clue why I'm all of the sudden receiving abuse reports when this non-exit relay has been online for months without issues. In addition, I have other non-exit relays hosted by the same provider with no issues and more across other providers.
> > >
> > > I proceeded to reinstall the OS and reconfigure Tor. I was then quickly notified by my hosting provider again of more abuse reports all showing port 22 as target port.
> > >
> > > I have not changed my torrc at all and it's still setup as a non-exit relay. No other applications/services were installed alongside Tor. Tor Metrics does not show the relay as Exit either.
> > >
> > > It feels like Tor Exit Traffic is leaking through my non-exit relay?
> > Hello,
> > 

> > To me it seems like bogus or invalid reports. With certainity over 19
> > in 20. The picture simply does not fit port scanning.
> > 

> > 1. Not only middle relays, but exit nodes can only perform complete
> > TCP connections. Port scanning usually involves a SYN or UDP scan, which
> > is technically not possible to be done using any Tor node.
> > 

> > 2. Even if we assume somebody is hurting oneself by performing a
> > full-connection TCP scan, you mention only one port is being reported. A
> > port scan involves many ports. And this is not merely pedanticism
> > regarding naming. The detection of a port scan relies on this. In other
> > words: there is no way to classify traffic as a port scan, if only one
> > port is affected.
> > 

> > Since only port 22 is affected and 22 is not a common port for Tor
> > relays, you may simply block egress traffic to this port altogether. The
> > same as IP address ranges for which reports come. If the reports
> > continue coming, you can be almost sure they are false. The little
> > uncertainity remains for some attacker having root (or above-root)
> > access to your machine, but this is not coming from your Tor relay.
> > 

> > Before blocking IP address ranges, check if they are not relays. I do
> > not want to make positive statements about one trying to affect Tor
> > network, but such a possibility should also not be excluded without
> > checking.
> > 

> > Cheers
> > _______________________________________________
> > tor-relays mailing list
> > tor-relays at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 

> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230801/dd4dac2a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 855 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230801/dd4dac2a/attachment.sig>

More information about the tor-relays mailing list