Received abuse report (non-exit relay)

I recieved the following email: We’ve received an abuse report about your server for MultiHost/MultiPort Probe, Scan, Hack. What are the steps I need to take to stop this?

If you are sure your server is secure and you are not portscanning yourself there is not much you can do. But you are not the only one facing this problem. Someone out there is spoofing the ips from tor relays to trigger such abuse reports.
See [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
and delroth's homepage - One weird trick to get the whole planet to send abuse complaints to your best friend(s)

3 Likes

I tried to post to the mailing list that there needs to be an official response from The Tor Project about this. So for they have let the relay operators face this alone with no help. One relay operator had a ten VPS server account locked with no recourse. A lot of others have lost accounts in ones and twos or been threatened with action.

A well worded blog entry explaining the attack would be a very welcome assistance to refer our providers to. It wouldn’t have to (and shouldn’t) mention this discredit attack is targeting relay operators. It would be nice if it could simply say the attack is targeting privacy volunteers for the project.

6 Likes

nmap only shows 443 and my SSH port as open. I Hope its just a one time thing.

Okay I will just continue monitoring the situation. I changed the default ssh 22 to something else maybe it will help. Thanks for your help everyone.

Same here, running a relay from my home connection. Received abuse report from my ISP.

tcpdump shows lots of SYN ACKs and RSTs from servers around the world from port 22.

It will not, because this has absolutely nothing to do with your ssh daemon. This is a reflection attack based on spoofed source IP addresses. There is nothing you can do besides telling your provider that you’re not responsible.

1 Like

Stupid question, I’m no expert here, is no firewall rule possible that drops this type of incoming packets or does not send a RST?

Well, there are not only simple firewalls in place at the receiving hosts. These are IDS / IPS solutions which automatically generate abuse reports when hit by these spoofed packets. That’s the whole point of these attacks.

Nothing can be done from your side as you are not involved in that packet exchange at all. The SYN ACK / RST packets arriving at your end are just backscatter. Sure, you can drop / reject them, but that won’t have any effect on the situation.

1 Like

Got abuse mails from nearly all of my providers now. Sometimes multiple times from the same. An official statement would be really nice, so the providers are more willingly to just ignore everything coming related to noc@watchdogcyberdefense.com and 202.91.162.0/24, where all the reports for me are originated.

Hello

I also encountered this problem on TOR Relay. On several servers at once. Complaints are coming that the server is brute-forcing the network: 202.91.161.0/24.

% Abuse contact for '202.91.160.0 - 202.91.175.255' is 'team@bnshosting.net'

inetnum:        202.91.160.0 - 202.91.175.255
netname:        BITSTOP
descr:          Bitstop Inc.
descr:          2f New Sim Too Bldg.,
descr:          AB Fernandez Ave.,
descr:          Dagupan City
country:        PH

So maybe ask them to stop sending these false abuse reports.

Actually I wrote to them and the reason I was given back for writing the abuse complaints to the providers is: most of the IPs of tor nodes are listed by virustotal, so they have to be infected by malware.

Tried to explain, that this is not the case but did not get a response back…

¯\_(ツ)_/¯

Since there is a list with currently more than 2 million Snowflake IP addresses (last updated 3 days ago), does this actually also affect the router at home if you run a standalone Snowflake proxy there?

It may have been a coincidence, but it was unusual when my router automatically rebooted three or four days ago. I assume my ISP (Deutsche Telekom) can remotely initiate a router restart.

Okay good to know.

@gus (thank you), provided a template for responding to providers:

2 Likes

My felow colleagues operators i have received this email from my ISP.
I run a Relay on this VPS, not an exit node. How is possible that someone has attacked atchdogcyberdefense from my machine using ToR?

I suspect:

  1. Someone hacked my VPS
  2. VPS traversal in my ISP side
  3. Miss leading information, someone is trying to close ToR Relays

Feladó: abuse@watchdogcyberdefense.com
Címzett: abuse@atw.co.hu, abuse@atw.co.hu
Tárgy: Potential Security issue: AS41075: ATW Internet Kft.: XX.XX.XX.XX-Request Assistance
Dátum: 2024-11-06 09:58:19 (Europe/Budapest)

Greetings Fellow Sys Ad/s

I hope this message finds you well. I’m reaching out to you today regarding a matter of potential concern involving one or more IP addresses associated with your system
Our network security logs have recently detected unusual activity originating from these IP addresses. While we understand that such incidents can sometimes occur innocently, it’s crucial to investigate and address them promptly to ensure the security of all networks involved

To assist you in understanding the situation, we have provided the relevant log data below, with timestamps adjusted to our GMT +8 timezone:

DateTime Action AttackClass SourceIP Srcport Protocol DestinationIP DestPort
0 03-Nov-2024 14:18:37 DENIED XX.XX.XX.XX 2545 TCP 202.91.161.54 22
1 03-Nov-2024 20:32:54 DENIED XX.XX.XX.XX 36119 TCP 202.91.163.234 22
2 03-Nov-2024 20:37:23 DENIED XX.XX.XX.XX 61469 TCP 202.91.161.79 22
3 03-Nov-2024 22:17:56 DENIED XX.XX.XX.XX 4956 TCP 202.91.160.68 22
4 04-Nov-2024 00:04:09 DENIED XX.XX.XX.XX 58608 TCP 202.91.160.129 22
5 04-Nov-2024 04:54:29 DENIED XX.XX.XX.XX 19206 TCP 202.91.161.97 22
6 04-Nov-2024 22:57:59 DENIED XX.XX.XX.XX 27458 TCP 202.91.163.166 22
7 05-Nov-2024 00:02:41 DENIED XX.XX.XX.XX 48962 TCP 202.91.163.192 22

We believe that by working together to resolve this matter swiftly, we can help safeguard the integrity of our networks and prevent any further issues. If you require any additional information or support from our end to facilitate your investigation, please don’t hesitate to reach out.
Your prompt attention to this matter would be greatly appreciated. We value your expertise and cooperation in resolving this situation effectively. Thank you for your time and consideration.
For any corrections/updates, kindly email noc@watchdogcyberdefense.com

I’ve been affected as well. I’m even on the attacker page as a trophy lol. I have contact with the CEO of the hoster regarding the problem. There is significant external pressure to ban my nodes, which they are fighting. This is due to this spoofed garbage, not even because my exit nodes themselves produced the traffic. I’m talking with them to be able to convert my nodes to non-exit, but have no access yet to my vps.

Will see how it goes. And otherwise I’ll simply pivot to other hosters or jump IPs. I have an as-code setup, so I can move all nodes with ease.

Also see x.com

2 Likes

Update, vms are online again - added a nice fuck:r00t.monster in my contact info as a shoutout- that’s for you reading r00t. Was down for about 3 days.

2 Likes

Dear Tor,

the same situation here, the mail from server ISP. We got abuse report, the same IP, the same port etc.

Our company provide tunnel-bridges.

Have a great days/nights.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.