wilsonchua

We like to contribute to this effort. We have compiled a list of 12,407 potentially spoofed IPs during the attack campaign. Who do we send it to?

1 reply

gus Community Team lead

Please contact security@torproject.org.

wilsonchua

Email sent containing link to the Google sheet.

ckcr4lyf

Interesting stuff.

> the origin of these spoofed packets was identified and shut down on November 7th, 2024.

Could you guys share some more info about the attacker? Nation-state, malware group, something else?

1 reply

Vort

Additional questions:

1. Were there any consequences for attacker? Can he easily relaunch attack from different “origin”?
2. What steps were necessary for “identification” and “shutting down”? Such “guide” can be useful in case of other attacks. Previous attacks on Tor stopped because attackers got bored as far as I know. This is not how such large project as Tor should protect itself.

Honestly, I was disappointed by this blog post. So many words, but so little usable information.

1 reply

Redwave

Agreed. At the very least, we should be informed who the perpetrator was. This is required information if for nothing else than to allow a judgement to be made by operators on whether to block the IP range in case of further issues.

The perpetrator was not shy about their activities. I would like to know who it was, or a reason why it’s being withheld.

SirNeo

The spoofig is still a real thing.
One of my relays was just blocked. This time is from another ISP (not the one from last time) that directly closed the relay (the other one was more professional and asked me stuff first)

1 reply

Redwave

Yes. From two different relays:

tcp sport 22 tcp flags == 0x12 counter packets 431 bytes 25156

and

tcp sport 22 tcp flags == 0x12 counter packets 66 bytes 3936

Second relay shown above started as tor relay AFTER the annoucement that the source of the spoofing had been found and shut down.

From all the other machines I own, manage, or control that have never run relays:

tcp sport 22 tcp flags == 0x12 counter packets 0 bytes 0

Analysis: Spoofing is still occuring, still actively targetting new relays which are coming online, and seems to only be targeting relays. Which is why we need to know who the known perpetrator was.

In better news, I am monitoring about a hundred other ports for evidence of spoofing and see so far see none. That said, port 22 is sort of special, though, as one of the only ports that is both very commonly used across the wider internet and yet not a port that welcomes anonymous/public connections.

UPDATE: From nature and timing of port 22 SYN-ACKS received on my machines, I now suspect they are as a result of connections to a current relay operator. I believe adversary is using incoming tor relay connections to trigger outgoing port 22 spoofs, with the mechanism perhaps as simple as a TEE + DNAT.

wilsonchua

Here is a paper that proposes a novel way to detect the actual spoofed IP owner: