[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

> but the packets are injected into the Internet from another location entirely.

On that note, most data-centers nowadays have routers do SRC IP checks, and do not allow the traffic through if it doesn't match that interfaces assigned address.. it would probably more useful to somehow find the company which allows this traffic, and make them update their routers.

The words "somehow" and "make" are doing an awful lot of work there.

Also, even if you spoof the IP, shouldn't the MAC address still be the one of the server from which the packets originated (unless it's spoofed too)?

MAC addresses are link-local addresses, and as such are never seen
outside of the broadcast domain (ie the local LAN) they're used on.

- Matt

but the packets are injected into the Internet from another location entirely.

On that note, most data-centers nowadays have routers do SRC IP checks, and do not allow the traffic through if it doesn’t match that interfaces assigned address… it would probably more useful to somehow find the company which allows this traffic, and make them update their routers.

My guess is some Russian data-center, there used to be 2x4 notorious for hosting illegal, even yucky child porn sites, on the open internet. In the end, their datacenter burned down or so the story goes. Since it was a cheap Russian building, they had no Argon/CO₂ fire suppression system or even basic sprinklers.

Nonetheless, right now they seem to be back in business, but with much better ToS.

Also, even if you spoof the IP, shouldn’t the MAC address still be the one of the server from which the packets originated (unless it’s spoofed too)?

-GH

But they will allow you to prove to yourself, and your ISP, that the
spoofed packets CANNOT have come from your address.

I now have such egress iptables rules on my node blocking all access to:

202.91.160.0/24
202.91.161.0/24
202.91.162.0/24
202.91.163.0/24

And as further proof (if any were needed) that watchdogcyberdefense.com
is run by bozos one of their "abuse" reports to Hetzner reportedly shows
a “log entry” which reported attacks from my IP address to the RFC 1918
address 192.168.200.216. That address, like all such 192.168/16 prefix
addresses is not even routeable across the internet.

Mick

Hi,

And as further proof (if any were needed) that watchdogcyberdefense.com
is run by bozos one of their "abuse" reports to Hetzner reportedly shows
a “log entry” which reported attacks from my IP address to the RFC 1918
address 192.168.200.216. That address, like all such 192.168/16 prefix
addresses is not even routeable across the internet.

good catch. The abuse reports I received also have such 192.168/16 addresses listed.

Does that mean they attack themselves and then blame others?

Best,
  Kai.

True, but as Mick wrote in this thread they are more meant as proof to Hetzner that my node doesn't allow contact with the addresses listed.

When I received the abuse emails I was slightly panicking and reinstalled the node from scratch because I couldn't prove that I had *not* been hacked. I found this thread only later and learned that IP spoofing might be in play. Somehow I assumed IP spoofing to be a thing of the past - interesting that this is still possible.

Or "Cyberdogdefense" is just making stuff up, all the did is send a bunch of "log entries" to Hetzner and *claim* these nodes made login attempts to their network.

The worst case would be that there's an actual problem in the Tor code, leaking stuff not to exit nodes but to targets outside of the Tor network.

CK.

Adding a "me too":
I have a tor middle relay in Vultr, and I've had 4 abuse tickets so far.
I replied to them with information about my server, this thread, and
the delroth's blog post.
Vultr closed all tickets without further actions.

and how many reports are complete fabrications?

no need to spoof ip's at all when you can simply make a false report.

Adding another me too.
2 of 5 different ISPs for middle and entry nodes shared same abuse complaints other received.
First time in 10 years to receive abuse complaints from middle/entry nodes.
Not fun.

It'd be great for Tor to publish a blog on what is happening / what happened so we can include that as more official appearing response in these abuse complaint replies to our ISPs rather than only linking a long mailing list thread and a wonderful but unknown individual's blog.

Another opportunity for Tor to further educate more people, especially ISPs forwarding abuse complaints that we're all replying to so we don't lose our Tor nodes.

usetor.wtf via tor-relays:

Adding another me too.
2 of 5 different ISPs for middle and entry nodes shared same abuse complaints other received.
First time in 10 years to receive abuse complaints from middle/entry nodes.
Not fun.

It'd be great for Tor to publish a blog on what is happening / what happened so we can include that as more official appearing response in these abuse complaint replies to our ISPs rather than only linking a long mailing list thread and a wonderful but unknown individual's blog.

Another opportunity for Tor to further educate more people, especially ISPs forwarding abuse complaints that we're all replying to so we don't lose our Tor nodes.

Check this one out, which we published yesterday:

GEorg

Hello, add me to the list too.

Started receiving packets 3 days ago and Tor Weather sent me an e-mail regarding it.

Sad that I could not respond further… I try to maintain an extremely high uptime. So far, the node has only been been offline for 6 hours in 6 months… now it’s been 72 hours

I also got a Tor Weather notification, which finally got my attention… sadly 3 days too late. It also took my friend some time to travel to the data center, I don’t live in the United States, he does, but it’s like 45 minutes using the nearest bus for him.

The DC staff refused to re-connect our power-cable, since we allegedly “abused” their network “to a great extent” (in quotes text is from DC staff).

I mailed them about this mailing list, and they finally understood, or it seems that way.

My hoster sadly did not notify me, they just took the entire colocated server offline, even if they know that the IP 104.219.232.126 is a bridge IP allocated through QEMU macvtap bridge using the servers physical 10GbE Synology E10G22-T1-Mini network card, and that we own the server including it’s main IP address I use for SSH.

They could have just nullrouted 104.219.232.126, but no, they nullrouted both my main IP and the KVM IP, and even “illegally” removed our the power cord, and according to our lawyer, should not have touched our network card card too, since it’s specified in the contract that the owner of the server will do all maintenance, but it’s unclear if we can do much anything about it. They still own the room, and since it was not clear to them that the packets came from card… it’s a shitty situation.

Will update once everything is restored.

Sorry for the downtime.

I unfortunately could not do iptraf-ng or use mtr to find out the culprit network.

-GH

It appears that the Tor node ExitTheMatrix (fingerprint: 0F8538398C61ECBE83F595E3716F7CE7E4C77B21) has been uncontactable >through the Tor network for at least 48 hours. You may wish to look at it to see why.

You can find more information about the Tor node at:

https://metrics.torproject.orgrs.html#details/0F8538398C61ECBE83F595E3716F7CE7E4C77B21

You can unsubscribe from these reports at any time by visiting the following url:

https://www.torweather.org/unsubscribe?hmac=nope&fingerprint=0F8538398C61ECBE83F595E3716F7CE7E4C77B21

The original Tor Weather was decommissioned by the Tor project and >this replacement is now maintained independently. You can learn more here:

https://github.com/thingless/torweather/blob/master/README.md

-GH

Hi,

the node is back online.

Everything works normally, and I don’t get any bogus SSH packets when using iptraf-ng.

Also, we noticed reverse path filtering was off on the VM… we enabled it. but don’t know why it was off… I configured the ArchLinux VM’s /etc/sysctl.d entries on my own, and it is still enabled on boot, or at least should be, but it wasn’t.

I checked since I believe arma mentioned it.

All the best,
-GH