Followup from topic [tor-relays] abuse report from relays in family 7EAAC49A7840D33B62FA276429F3B03C92AA9327
I got today two abuses from Hezner regarding port scanning. Well, it was false positive, as uusual, but my respone was this:
[details]
Hello,
Thank you for the notification (AbuseID XXXXXX).
The reported connections from 65.108.157.98 were made by a non-exit Tor relay (ExitRelay 0).
The destination addresses, such as 96.9.98.3:443, belong to other Tor relays and bridges operated actors i.e. 1st Amendment Encrypted Openness LLC (SAEOL-1).
These brief 74-byte TCP SYN packets are normal Tor OR-port connections over 443/TCP, not scanning activity.
To avoid confusion I have verified that my node is configured only as an entry/middle relay and added an explicit ExitPolicy reject *:* line in torrc konfiguration. (note: actually not, because that can’t be used there, but the effect is same)
Please note that IDS systems often misclassify Tor relay handshake traffic as “port scans” because the connections occur on 443/TCP and may retry multiple times.
Regards,
[/details]
I don’t know anything about nothing, so I don’t know if that explanation was actually true. But I reckon its valid.
But out of curiosity. Why does that happen and is there something I should take care of, technically?