[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] So long and thanks for all the abuse complaints



On 05.12.17 20:21, r1610091651 wrote:

> how can the hoster determine whether a packet is part of a port scan
> or valid connection request?

One common example of automatically detectable port scans for /24 IPv4
subnets are consecutive connections, in a small amount of time, to

  aaa.bbb.ccc.1:80
  aaa.bbb.ccc.2:80
  aaa.bbb.ccc.3:80
  [etc.]

Looking at the logs I received, this traversal of subnets to find open
ports is the most common type of scan for which my exit is being abused.

The logs sometimes show variations like scanning odd-numbered addresses
in one pass and even-numbered in the next, or scans for several subnets
mixed together, but the hoster's monitoring software is quite good at
automatically identifying patterns.

-Ralph
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays