[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

Mailing Lists tor-relays
1

Hi relay ops,

A few hours ago I received a forwarded abuse report from Hetzner for
one of my machines running a Tor relay (not exit). Some random ISP was
claiming I was sending SSH connections to them, and at first I
couldn't find any corroborating evidence in my own network logs and I
was ready to dismiss it.

But then I noticed that there is in fact something weird: all 4 of my
machines running Tor relays are seeing *return* TCP traffic (RSTs or
SYN-ACKs) from port 22 from various machines all over the world, at a
very low rate. Kind of like someone spoofing source IPs to send SYNs
everywhere. I can't figure out at all whether that's actually what's
happening and what the intent would be though.

Some tcpdumps showing random RSTs coming back to my machines running
relays (with no traffic being initiated by said machines beforehand):

04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags
[R.], seq 0, ack 171173954, win 0, length 0
04:20:15.135733 IP 124.198.33.196.22 > 172.105.199.155.23506: Flags
[R.], seq 0, ack 1985822135, win 0, length 0
04:21:30.222739 IP 223.29.149.158.22 > 172.105.199.155.27507: Flags
[R.], seq 0, ack 3614869158, win 0, length 0

04:14:25.286063 IP 45.187.212.68.22 > 195.201.9.37.59639: Flags [R.],
seq 0, ack 41396686, win 0, length 0
04:14:25.291455 IP 107.152.7.33.22 > 195.201.9.37.39793: Flags [R.],
seq 0, ack 1391844539, win 0, length 0
04:14:25.322255 IP 107.91.78.158.22 > 195.201.9.37.48900: Flags [R.],
seq 0, ack 1434896088, win 65535, length 0

04:12:39.470366 IP 121.150.242.252.22 > 77.109.152.87.57627: Flags
[R.], seq 0, ack 2452733863, win 0, length 0
04:13:05.549920 IP 46.188.201.102.22 > 77.109.152.87.9999: Flags [R.],
seq 0, ack 3253922544, win 0, length 0
04:14:33.027326 IP 1.1.195.62.22 > 77.109.152.87.52448: Flags [R.],
seq 0, ack 351972505, win 0, length 0

By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)

Any speculation as to the reason for this?

Best,

ยทยทยท

--
Pierre Bourdon <delroth@gmail.com>
Software Engineer @ Zรผrich, Switzerland

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

2

Sounds right. See

where I walked through the analysis, for transparency and to help other
folks learn more about how the internet works.

It is a shame that whoever is sending this traffic clearly wants to
undermine safety on the internet. :frowning:

--Roger

ยทยทยท

On Tue, Oct 29, 2024 at 04:33:33AM +0100, Pierre Bourdon wrote:

Kind of like someone spoofing source IPs to send SYNs
everywhere.

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

2 Likes
3

Yes, I have 11 IP addresses on Hetzner, 3 of which are running Tor relays. Only those 3 received the abuse notice, which tells me Tor IP addresses are specifically targeted.

Iโ€™m assuming It could be intended to get Tor IP addresses added to various popular block lists. Once theyโ€™re added to several block lists, all kinds of traffic with those source addresses are affected, not just traffic to port 22.

Regards,

Enkidu

ยทยทยท

On 10/28/2024 11:33 PM, Pierre Bourdon wrote:

Hi relay ops,

A few hours ago I received a forwarded abuse report from Hetzner for
one of my machines running a Tor relay (not exit). Some random ISP was
claiming I was sending SSH connections to them, and at first I
couldn't find any corroborating evidence in my own network logs and I
was ready to dismiss it.

But then I noticed that there is in fact something weird: all 4 of my
machines running Tor relays are seeing *return* TCP traffic (RSTs or
SYN-ACKs) from port 22 from various machines all over the world, at a
very low rate. Kind of like someone spoofing source IPs to send SYNs
everywhere. I can't figure out at all whether that's actually what's
happening and what the intent would be though.

Some tcpdumps showing random RSTs coming back to my machines running
relays (with no traffic being initiated by said machines beforehand):

04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags
[R.], seq 0, ack 171173954, win 0, length 0
04:20:15.135733 IP 124.198.33.196.22 > 172.105.199.155.23506: Flags
[R.], seq 0, ack 1985822135, win 0, length 0
04:21:30.222739 IP 223.29.149.158.22 > 172.105.199.155.27507: Flags
[R.], seq 0, ack 3614869158, win 0, length 0

04:14:25.286063 IP 45.187.212.68.22 > 195.201.9.37.59639: Flags [R.],
seq 0, ack 41396686, win 0, length 0
04:14:25.291455 IP 107.152.7.33.22 > 195.201.9.37.39793: Flags [R.],
seq 0, ack 1391844539, win 0, length 0
04:14:25.322255 IP 107.91.78.158.22 > 195.201.9.37.48900: Flags [R.],
seq 0, ack 1434896088, win 65535, length 0

04:12:39.470366 IP 121.150.242.252.22 > 77.109.152.87.57627: Flags
[R.], seq 0, ack 2452733863, win 0, length 0
04:13:05.549920 IP 46.188.201.102.22 > 77.109.152.87.9999: Flags [R.],
seq 0, ack 3253922544, win 0, length 0
04:14:33.027326 IP 1.1.195.62.22 > 77.109.152.87.52448: Flags [R.],
seq 0, ack 351972505, win 0, length 0

By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)

Any speculation as to the reason for this?

Best,
4

Me too. Middle relay on Hetzner. Alleged SSH scans from my relay. I
have not yet had time to investigate, but will do so later today.

Mick

ยทยทยท

On Tue, 29 Oct 2024 06:52:13 +0100 Ralph Seichter via tor-relays <tor-relays@lists.torproject.org> allegedly wrote:

* Pierre Bourdon:

> A few hours ago I received a forwarded abuse report from Hetzner for
> one of my machines running a Tor relay (not exit). Some random ISP
> was claiming I was sending SSH connections to them [...]

Same here. Middle relay, automated abuse report forwarded by Hetzner,
for alleged scans of TCP port 22 across several related IPv4 class-C
networks. I wondered if that was a mistake on the reporting third
party's end, but given that I am not the only on, it seems there is
more to it.

---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

5

We've definitely seen an up tick in this type of complain. One of the
abuse reports for "port scanning" had a log of exactly 3 SYN packets
to port 22, IDK why people bother with soemthing like that given the
amount of actual SSH scans I see against our infrastructure
constantly.

New one today though, apparently spoofed web exploit probing. That's
probably going to trigger a bigger reaction if it becomes more wide
spread than a few ssh packets.

-Jon

ยทยทยท

--
Jonathan Proulx (he/him)
Sr. Technical Architect
The Infrastructure Group
MIT CSAIL
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

6

I believe it would be helpful to develop a standard template letter to address these abuse reports. This letter could clarify the ongoing attack, explain the potential for packet spoofing, and outline why responding to a single SYN packet with an abuse letter may not be the most effective use of time.

ยทยทยท

On 29/10/24 00:33, Pierre Bourdon wrote:

Hi relay ops,

A few hours ago I received a forwarded abuse report from Hetzner for
one of my machines running a Tor relay (not exit). Some random ISP was
claiming I was sending SSH connections to them, and at first I
couldn't find any corroborating evidence in my own network logs and I
was ready to dismiss it.

But then I noticed that there is in fact something weird: all 4 of my
machines running Tor relays are seeing *return* TCP traffic (RSTs or
SYN-ACKs) from port 22 from various machines all over the world, at a
very low rate. Kind of like someone spoofing source IPs to send SYNs
everywhere. I can't figure out at all whether that's actually what's
happening and what the intent would be though.

Some tcpdumps showing random RSTs coming back to my machines running
relays (with no traffic being initiated by said machines beforehand):

04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags
[R.], seq 0, ack 171173954, win 0, length 0
04:20:15.135733 IP 124.198.33.196.22 > 172.105.199.155.23506: Flags
[R.], seq 0, ack 1985822135, win 0, length 0
04:21:30.222739 IP 223.29.149.158.22 > 172.105.199.155.27507: Flags
[R.], seq 0, ack 3614869158, win 0, length 0

04:14:25.286063 IP 45.187.212.68.22 > 195.201.9.37.59639: Flags [R.],
seq 0, ack 41396686, win 0, length 0
04:14:25.291455 IP 107.152.7.33.22 > 195.201.9.37.39793: Flags [R.],
seq 0, ack 1391844539, win 0, length 0
04:14:25.322255 IP 107.91.78.158.22 > 195.201.9.37.48900: Flags [R.],
seq 0, ack 1434896088, win 65535, length 0

04:12:39.470366 IP 121.150.242.252.22 > 77.109.152.87.57627: Flags
[R.], seq 0, ack 2452733863, win 0, length 0
04:13:05.549920 IP 46.188.201.102.22 > 77.109.152.87.9999: Flags [R.],
seq 0, ack 3253922544, win 0, length 0
04:14:33.027326 IP 1.1.195.62.22 > 77.109.152.87.52448: Flags [R.],
seq 0, ack 351972505, win 0, length 0

By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)

Any speculation as to the reason for this?

Best,

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

7

I have taken a look at my relay and noted activity like this a short
while ago.

105.812429380 202.91.162.47 โ†’ 95.216.198.252 TCP 54 22 โ†’ 18588 [RST,
ACK] Seq=1 Ack=1 Win=5840 Len=0
113.387329574 202.91.163.206 โ†’ 95.216.198.252 TCP 54 22 โ†’ 41567
[RST, ACK] Seq=1 Ack=1 Win=4128 Len=0

So - resets coming from a host I have not attempted to connect to.

I have informed hetzner and pointed them to the tor-project note at

given by Roger Dingledine.

Mick

ยทยทยท

On Tue, 29 Oct 2024 07:47:53 +0000 mick <mbm@rlogin.net> allegedly wrote:

> Same here. Middle relay, automated abuse report forwarded by
> Hetzner, for alleged scans of TCP port 22 across several related
> IPv4 class-C networks. I wondered if that was a mistake on the
> reporting third party's end, but given that I am not the only on,
> it seems there is more to it.

Me too. Middle relay on Hetzner. Alleged SSH scans from my relay. I
have not yet had time to investigate, but will do so later today.

Mick

---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

8

Jonathan Proulx <jon@csail.mit.edu>:

IDK why people bother with soemthing like that given the amount of
actual SSH scans I see against our infrastructure constantly.

Indeed, but Hetzner is known for noob stuff like that, while they seem
to understand the importance of privacy and let people run Tor relays,
they also send abuse reports for insignificant stuff such as a port's
scan.

ยทยทยท

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

9

You likely discovered a way, how criminals (or Intel agencies, since there is no difference) are being allowed access to middle relays.

--x9p

ยทยทยท

On 10/29/24 04:47, mick wrote:

On Tue, 29 Oct 2024 06:52:13 +0100 > Ralph Seichter via tor-relays <tor-relays@lists.torproject.org> > allegedly wrote:

* Pierre Bourdon:

A few hours ago I received a forwarded abuse report from Hetzner for
one of my machines running a Tor relay (not exit). Some random ISP
was claiming I was sending SSH connections to them [...]

Same here. Middle relay, automated abuse report forwarded by Hetzner,
for alleged scans of TCP port 22 across several related IPv4 class-C
networks. I wondered if that was a mistake on the reporting third
party's end, but given that I am not the only on, it seems there is
more to it.

Me too. Middle relay on Hetzner. Alleged SSH scans from my relay. I
have not yet had time to investigate, but will do so later today.

Mick

---------------------------------------------------------------------
  Mick Morgan
  gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
  blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

10

By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insaneโ€ฆ)

Any speculation as to the reason for this?

My own write-up and explanation (and speculation) is available at https://delroth.net/posts/spoofed-mass-scan-abuse/ as a reference. Iโ€™ve had a few people email me saying they had the same scare moment after getting an abuse report and they ended up finding my article, so Iโ€™d like to think itโ€™s already helped a bit!

I also received an email today from Hetznerโ€™s legal team saying that they have read my article (props on them, I didnโ€™t send it to them myself!). They are monitoring the situation on their side and emphasized that they do not usually take action on this kind of reports they have recently been forwarding to Tor relay operators. So at least for others hosting relays at Hetzner I donโ€™t think itโ€™s worth worrying too much. For other hosting providers, your mileage may vary.

ยทยทยท

On Tue, Oct 29, 2024, 03:33 Pierre Bourdon <delroth@gmail.com> wrote:

3 Likes
11

Hey, Ionos (AS8560) locked my account because of SSH scans (i only run middle/guard relays) and told me they couldnt unlock my account, did anyone else had similar experiences with them?

Marie (running all relays with a *.ketamin.trade hostname)

29.10.24 04:33, Pierre Bourdon wrote:

ยทยทยท

Hi relay ops,

A few hours ago I received a forwarded abuse report from Hetzner for
one of my machines running a Tor relay (not exit). Some random ISP was
claiming I was sending SSH connections to them, and at first I
couldn't find any corroborating evidence in my own network logs and I
was ready to dismiss it.

But then I noticed that there is in fact something weird: all 4 of my
machines running Tor relays are seeing *return* TCP traffic (RSTs or
SYN-ACKs) from port 22 from various machines all over the world, at a
very low rate. Kind of like someone spoofing source IPs to send SYNs
everywhere. I can't figure out at all whether that's actually what's
happening and what the intent would be though.

Some tcpdumps showing random RSTs coming back to my machines running
relays (with no traffic being initiated by said machines beforehand):

04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags
[R.], seq 0, ack 171173954, win 0, length 0
04:20:15.135733 IP 124.198.33.196.22 > 172.105.199.155.23506: Flags
[R.], seq 0, ack 1985822135, win 0, length 0
04:21:30.222739 IP 223.29.149.158.22 > 172.105.199.155.27507: Flags
[R.], seq 0, ack 3614869158, win 0, length 0

04:14:25.286063 IP 45.187.212.68.22 > 195.201.9.37.59639: Flags [R.],
seq 0, ack 41396686, win 0, length 0
04:14:25.291455 IP 107.152.7.33.22 > 195.201.9.37.39793: Flags [R.],
seq 0, ack 1391844539, win 0, length 0
04:14:25.322255 IP 107.91.78.158.22 > 195.201.9.37.48900: Flags [R.],
seq 0, ack 1434896088, win 65535, length 0

04:12:39.470366 IP 121.150.242.252.22 > 77.109.152.87.57627: Flags
[R.], seq 0, ack 2452733863, win 0, length 0
04:13:05.549920 IP 46.188.201.102.22 > 77.109.152.87.9999: Flags [R.],
seq 0, ack 3253922544, win 0, length 0
04:14:33.027326 IP 1.1.195.62.22 > 77.109.152.87.52448: Flags [R.],
seq 0, ack 351972505, win 0, length 0

By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)

Any speculation as to the reason for this?

Best,

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

12

Agree.

I have just received another "abuse" report. Hetzner have yet to
respond to my last reply to them.

Mick

ยทยทยท

On Thu, 31 Oct 2024 11:25:30 +0200 "Dimitris T. via tor-relays" <tor-relays@lists.torproject.org> allegedly wrote:

similar situation here with hetzner.. got a first report 2 days ago,
and just a while ago got another abuse report, by the same
watchdogcyberdefence.... with more alleged activity from our ip...

like everybody else, there's nothing coming out from our relay ip, so
we strongly believe "Theory three"[1] .

---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

13

Hi,

I got an abuse report on my Guard, Middle, relay hosted at OVH.
I replied with the blog post and explanation that it's an attack outside of my server spoofing packets. No reply back from OVH, no account suspension either.

Regards,

mick:

ยทยทยท

On Thu, 31 Oct 2024 11:25:30 +0200 > "Dimitris T. via tor-relays" <tor-relays@lists.torproject.org> > allegedly wrote:

similar situation here with hetzner.. got a first report 2 days ago,
and just a while ago got another abuse report, by the same
watchdogcyberdefence.... with more alleged activity from our ip...

like everybody else, there's nothing coming out from our relay ip, so
we strongly believe "Theory three"[1] .

Agree.

I have just received another "abuse" report. Hetzner have yet to
respond to my last reply to them.

Mick

---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

14

It would be hard to explain to Verizon I run Tor relays since they technically don't allow servers. I hope I'm not forced onto AT&T Internet Air as my particular co-op rental unit won't let met get Spectrum even when other units can, not that I wanted Spectrum, I don't.

It shouldn't be necessary to go into great detail. Simply tell them there have been attacks going around the internet where people's ip addresses have been spoofed for ssh connections with an eye toward getting them in trouble with their providers. Explain to them that further actions from them on this matter would be like taking action against a person if someone else forged your reply address on outgoing harassing postal mail letters. In other worst, totally inappropriate. You are not responsible for other people forging your IP address, and if required you can tell them you welcome them to put such monitoring in place as will prove you aren't responsible for the outgoing ssh connections.

If pressed, you can even offer that you are involved with online privacy advocacy and that is how your IP address got out.

All of the above is 100% true.

Hopefully just your willingness to accept scrutiny to prove your IP hasn't originated the connection attempts will be enough. If it does attract too much scrutiny and they discover your Tor contribution, at least you are no worse off.

If youโ€™re dealing with ISPs that arenโ€™t too friendly towards Tor and youโ€™re worried they wonโ€™t get the technical stuff about SYN packet spoofing, hereโ€™s a simple tip: just tell them your machine might have some malware scanning on port 22 and that youโ€™re looking into it. Itโ€™s an explanation they hear all the time, so it should help take the heat off you.

ยทยทยท

On 1/11/24 22:42, Red Oaive via tor-relays wrote:

On 2024-10-31 23:15, Neel Chauhan wrote:

To The Tor Project officials:

So far the Tor Project has left its operators twisting in the wind over this. Marie has had a ten server account locked over this. A well worded blog entry explaining the attack would be a very welcome assistance to refer our providers to. It wouldn't have to mention this discredit attack is targeting relay operators. It can simply say the attack is targeting privacy volunteers for the project and leave the precise details vague.
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

15

another abuse report from hetzner (by the same watchdogcyberdefence) a few hours ago. no reply from hetzner yet to previous ticket.

this time, alleged attacked /20 subnet from watchdogcyberdefence was firewalled since 30/10/2024, just to confirm new false abuse reports..., and they confirmed (=their report, shows traffic from our ip on 3/11/2024)....

replied to hetzner with proposed template and minor changes.

d.

ฮฃฯ„ฮนฯ‚ 31/10/24 17:58, ฮฟ/ฮท mick ฮญฮณฯฮฑฯˆฮต:

ยทยทยท

On Thu, 31 Oct 2024 11:25:30 +0200 > "Dimitris T. via tor-relays" <tor-relays@lists.torproject.org> > allegedly wrote:

similar situation here with hetzner.. got a first report 2 days ago,
and just a while ago got another abuse report, by the same
watchdogcyberdefence.... with more alleged activity from our ip...

like everybody else, there's nothing coming out from our relay ip, so
we strongly believe "Theory three"[1] .

Agree.

I have just received another "abuse" report. Hetzner have yet to
respond to my last reply to them.

Mick

---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org

16

Update for my experience with OVH.

Received 4 abuse emails in total (2 per each relay), each was replied within 24h. No followup on any or response.
Still have service uninterrupted.

Hopefully the attacker's ISP kicks them off instead. All of the honeypot that send "incorrect" abuse emails get a flood of responses and update their detection scripts. Ideally no one loses any nodes, but it seems to have already happened.

Good luck everyone,

Dimitris T. via tor-relays:

ยทยทยท

another abuse report from hetzner (by the same watchdogcyberdefence) a few hours ago. no reply from hetzner yet to previous ticket.

this time, alleged attacked /20 subnet from watchdogcyberdefence was firewalled since 30/10/2024, just to confirm new false abuse reports..., and they confirmed (=their report, shows traffic from our ip on 3/11/2024)....

replied to hetzner with proposed template and minor changes.

d.

ฮฃฯ„ฮนฯ‚ 31/10/24 17:58, ฮฟ/ฮท mick ฮญฮณฯฮฑฯˆฮต:

On Thu, 31 Oct 2024 11:25:30 +0200 >> "Dimitris T. via tor-relays" <tor-relays@lists.torproject.org> >> allegedly wrote:

similar situation here with hetzner.. got a first report 2 days ago,
and just a while ago got another abuse report, by the same
watchdogcyberdefence.... with more alleged activity from our ip...

like everybody else, there's nothing coming out from our relay ip, so
we strongly believe "Theory three"[1] .

Agree.

I have just received another "abuse" report. Hetzner have yet to
respond to my last reply to them.

Mick

---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org

17

And I have received a new "abuse" report from Hetzner raised by the
same bozos at watchdogcyberdefence, but this time purportedly aimed at
FTP port 21.

I've told Hetzner they are welcome to monitor traffic coming out of my
node to reassure themselves that this is nonsense.

Mick

ยทยทยท

On Tue, 5 Nov 2024 10:32:40 +0200 "Dimitris T. via tor-relays" <tor-relays@lists.torproject.org> allegedly wrote:

another abuse report from hetzner (by the same watchdogcyberdefence)
a few hours ago. no reply from hetzner yet to previous ticket.

this time, alleged attacked /20 subnet from watchdogcyberdefence was
firewalled since 30/10/2024, just to confirm new false abuse
reports..., and they confirmed (=their report, shows traffic from our
ip on 3/11/2024)....

---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org

18

Hey,

my personal experience with OVH was that they would accept 5-10 abuse reports per day, even if you replied to them, and then replied to the abuse report with the forwarded reply, but they always disable your VM/Server after 21-30 days.

OVH is also on the GoodBadHosters community page.

-GH

ยทยทยท

On Tuesday, November 5th, 2024 at 5:24 PM, tor@nullvoid.me <tor@nullvoid.me> wrote:

Update for my experience with OVH.

Received 4 abuse emails in total (2 per each relay), each was replied
within 24h. No followup on any or response.
Still have service uninterrupted.

Hopefully the attacker's ISP kicks them off instead. All of the honeypot
that send "incorrect" abuse emails get a flood of responses and update
their detection scripts. Ideally no one loses any nodes, but it seems to
have already happened.

Good luck everyone,

Dimitris T. via tor-relays:

> another abuse report from hetzner (by the same watchdogcyberdefence) a
> few hours ago. no reply from hetzner yet to previous ticket.
>

> this time, alleged attacked /20 subnet from watchdogcyberdefence was
> firewalled since 30/10/2024, just to confirm new false abuse reports...,
> and they confirmed (=their report, shows traffic from our ip on
> 3/11/2024)....
>

> replied to hetzner with proposed template and minor changes.
>

> d.
>

> ฮฃฯ„ฮนฯ‚ 31/10/24 17:58, ฮฟ/ฮท mick ฮญฮณฯฮฑฯˆฮต:
>

> > On Thu, 31 Oct 2024 11:25:30 +0200 > > > "Dimitris T. via tor-relays" tor-relays@lists.torproject.org > > > allegedly wrote:
> >

> > > similar situation here with hetzner.. got a first report 2 days ago,
> > > and just a while ago got another abuse report, by the same
> > > watchdogcyberdefence.... with more alleged activity from our ip...
> > >

> > > like everybody else, there's nothing coming out from our relay ip, so
> > > we strongly believe "Theory three"[1] .
> >

> > Agree.
> >

> > I have just received another "abuse" report. Hetzner have yet to
> > respond to my last reply to them.
> >

> > Mick
> >

> > ---------------------------------------------------------------------
> > Mick Morgan
> > gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
> > blog: baldric.net
> > ---------------------------------------------------------------------
>

> _______________________________________________
> tor-relays mailing list -- tor-relays@lists.torproject.org
> To unsubscribe send an email to tor-relays-leave@lists.torproject.org

_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org

19

Just adding a "me too" here: Hetzner node, running a relay (*not* an exit node), received two abuse emails from Hetzner that a company called "watchdogcyberdefense" complained about SSH login attempts to their 202.91/16 network.

Replied to Hetzner with my own text and reinstalled my node and installed egress packet filter rules to block traffic to that network. Weird though.

Thanks for reporting this to the list!

ยทยทยท

On 5 November 2024 17:24:07 CET, tor@nullvoid.me wrote:

Update for my experience with OVH.

Received 4 abuse emails in total (2 per each relay), each was replied within 24h. No followup on any or response.
Still have service uninterrupted.

Hopefully the attacker's ISP kicks them off instead. All of the honeypot that send "incorrect" abuse emails get a flood of responses and update their detection scripts. Ideally no one loses any nodes, but it seems to have already happened.

Good luck everyone,

Dimitris T. via tor-relays:

another abuse report from hetzner (by the same watchdogcyberdefence) a few hours ago. no reply from hetzner yet to previous ticket.

this time, alleged attacked /20 subnet from watchdogcyberdefence was firewalled since 30/10/2024, just to confirm new false abuse reports..., and they confirmed (=their report, shows traffic from our ip on 3/11/2024)....

replied to hetzner with proposed template and minor changes.

d.

ฮฃฯ„ฮนฯ‚ 31/10/24 17:58, ฮฟ/ฮท mick ฮญฮณฯฮฑฯˆฮต:

On Thu, 31 Oct 2024 11:25:30 +0200 >>> "Dimitris T. via tor-relays" <tor-relays@lists.torproject.org> >>> allegedly wrote:

similar situation here with hetzner.. got a first report 2 days ago,
and just a while ago got another abuse report, by the same
watchdogcyberdefence.... with more alleged activity from our ip...

like everybody else, there's nothing coming out from our relay ip, so
we strongly believe "Theory three"[1] .

Agree.

I have just received another "abuse" report. Hetzner have yet to
respond to my last reply to them.

Mick

---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org

_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org

20

Egress rules won't help, because the traffic never hits your server --
the source IP address is spoofed as yours, but the packets are injected
into the Internet from another location entirely.

- Matt

ยทยทยท

On Wed, Nov 06, 2024 at 11:04:51AM +0100, CK wrote:

Replied to Hetzner with my own text and reinstalled my node and installed egress packet filter rules to block traffic to that network. Weird though.

_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-leave@lists.torproject.org

1 Like