Re: [tor-relays] Exit relays abused to attack Google services

Subject: Re: [tor-relays] Exit relays abused to attack Google services

From: Pascal Terjan <pterjan@xxxxxxxxx>

Date: Wed, 2 Feb 2022 15:56:26 +0000

Delivery-date: Wed, 02 Feb 2022 11:46:43 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+tRL9hH3dKkP5Z7skSQidyqL0JhEmdzU6awminvJ4Yg=; b=W8LcJ/rds+sDLg5bdr5J/QttJ3j4Pl0LDpfHPrdHTaFG+Zgb9vsRn6AdIqIbGtTZ9l MmQ47aZZiCy4L91KhmGZEJXCEoHLqIsJZ/f+Uq8Lvo2QzXflYN3Y7/KYqxIs4HbZ5l3t krM0FEoVVndK4xZYie6Jq8a+AINXlXb6d3LZNt0mNhKnuGD65EcZG0LNLPfseCLEa29t MWsolGD0yX5zFBBneKPvb8Se0FldMHYOK+ysxTCLzDqIpcUriiEng9H6W75sd16cTOc2 R2BzkGvrV4W9gDAPOHBqXml2OMFryMjvnnJP/MhWCYbWFPT2HoikVfqprBDYq2Z7dUpc HrYw==

In-reply-to: <20220202001936.2b709a7c@urdn.com.ua>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <20220202001936.2b709a7c@urdn.com.ua>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Wed, 2 Feb 2022 at 11:05, UDN Tor via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx> wrote:

> Note we believe some of these IPs are part of the Meris or Dvinis
> botnets. If you are a residential Internet service provider, it is
> possible that your customers' routers themselves have been
> compromised. You should research the Meris botnet and take
> appropriate actions to have them secure their CPE (customer-premises
> equipment).

This is probably the main reason those reports are being sent.

Meris is a huge botnet using (at least) tens of thousands of compromised routers.

https://www.bleepingcomputer.com/news/security/new-m-ris-botnet-breaks-ddos-record-with-218-million-rps-attack/

Those notices were probably sent automatically to many ISPs hoping some of them would get their customers to fix their routers, and tor exits were probably just not filtered.

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays