[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?

To: Matt Palmer <mpalmer@xxxxxxxxxxx>
Subject: [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
From: mick <mbm@xxxxxxxxxx>
Date: Thu, 7 Nov 2024 12:56:33 +0000
Cc: tor-relays@xxxxxxxxxxxxxxxxxxxx
In-reply-to: <4078de2c-ae7d-4acf-a664-bdbb0e8d8bb2@mtasv.net>
List-id: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays.lists.torproject.org>
References: <CA+V6dmizGEo4Y=3tCFmK_xNm7W=d7zh4W=0aypyyzVR+Hn4uoA@mail.gmail.com> <D5820VWCTMJZ.3DZ0C1VS96GKW@ml.seichter.de> <20241029074753.7d783593.mbm@rlogin.net> <20241029132317.1b8d4c28.mbm@rlogin.net> <5270fe4b-d22e-4e90-9587-60fadc0557ee@stinpriza.org> <20241031155807.5b3aab77.mbm@rlogin.net> <87a7a53a-0ae4-4616-bc4e-85959668f1e1@stinpriza.org> <60c37693-37cf-46ba-8a2f-579a5b2cee63@nullvoid.me> <DAFC3366-B63C-411E-9C36-EDDE24F08061@nerdbynature.de> <4078de2c-ae7d-4acf-a664-bdbb0e8d8bb2@mtasv.net>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

On Wed, 06 Nov 2024 22:40:08 +0000
Matt Palmer <mpalmer@xxxxxxxxxxx> allegedly wrote:
> 
> Egress rules won't help, because the traffic never hits your server --
> the source IP address is spoofed as yours, but the packets are
> injected into the Internet from another location entirely.
> 

But they will allow you to prove to yourself, and your ISP, that the
spoofed packets CANNOT have come from your address.

I now have such egress iptables rules on my node blocking all access to:

202.91.160.0/24
202.91.161.0/24
202.91.162.0/24
202.91.163.0/24

And as further proof (if any were needed) that watchdogcyberdefense.com
is run by bozos one of their "abuse" reports to Hetzner reportedly shows
a “log entry” which reported attacks from my IP address to the RFC 1918
address 192.168.200.216. That address, like all such 192.168/16 prefix
addresses is not even routeable across the internet.

Mick

---------------------------------------------------------------------
Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B
5BAD D312 blog: baldric.net
---------------------------------------------------------------------

_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx

Follow-Ups:
- [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
  - From: anon
- [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
  - From: Nicolás Dato

References:
- [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
  - From: Dimitris T. via tor-relays
- [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
  - From: tor
- [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
  - From: CK
- [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
  - From: Matt Palmer

Prev by Author: Re: [tor-relays] "When you pay peanuts, you get monkeys"
Next by Author: [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
Previous by thread: [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
Next by thread: [tor-relays] Re: Tor relays source IPs spoofed to mass-scan port 22?
Index(es):
- Author
- Thread