Happy today
Since November my ISP and I received a hand full of abuses for a
non-exit. It is about scanning ports and addresses of a certain let's
say victim ISP. I received one other abuse with another server.
For now I kindly want to ask if some operator received similar abuses
for non-exits ? [1]
Under my perspective it could be:
- ip-spoofing. A third entity uses my ip and sends sync requests to the
victim. There will never be a statefull connection, but the victim feels
offended. As result the only one who gets trouble is me.
- I got hacked (Uhh, don't like these words) which I suspect is not the
case. Then statefull connections are possible and by scanning etc the
attacker interfers the victim. We should not discuss this here.
- There is some way out of the code which enables an attacker to perform
solicited or unsolicited interference. Like [2] or not known or
whatever. It is difficult to discuss with my ISP because the world
expects the non-exits connect only inside the Tor network and onion
services.
Yes, people can use non-exit relays to port scan.
I'll quote my original email, which you have as [2]: Receiving unsolicited TCP connections is a
normal part of running a server on the Internet. And anyone who sends
unsolicited spammy emails in response lacks a sense of irony.
less useful for scanning?
We should check that we are returning the same reason for every non-relay port and IP, regardless of whether the IP exists, the port is open, or the port does TLS.
We could delay failure responses for a random interval. Some facts:
- The victim ISP hosts no relay
- The relays are guards and potentially fallbacks (fallback and
non-fallback share an ip)
- I firewall blocked (outbound) all victim ISPs subnets. I logged some
outbound trials but this could not stop the abuses. Why? May-be the
victim ISP has changing ip ranges which usually happens from time to
time or I do not know their subnets completely. Interesting was that one
destination ip was x.x.x.0 which is subnet zero.
Now the subnet routing is classless, zero is a valid address. It's typically used for the gateway or network address, but that's not required:
- Currently I firewall block (inbound) all victim ISPs subnets and found
log entries scanning (syn) my server on a non Tor port. Before blocking
inbound, was there a way that someone from the vicitm ISP ip range can
drive my relay (not server) to act like an offender back to the victims ISP?
They can run a tor client, connect to your relay, and tell it to connect to another IP address as if it is a relay. That's a standard part of the tor protocol via your relay's ORPort.
So there's no need to block inbound, and it won't solve this issue. T |