[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

To: Roger Dingledine <arma@xxxxxxxxxxxxxx>
Subject: [tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22
From: tor-operator@xxxxxxxxxxx
Date: Tue, 12 Nov 2024 04:05:56 -0000
Cc: tor-relays@xxxxxxxxxxxxxxxxxxxx
In-reply-to: <ZzBwjUNCtHyCv8FX@nogrod.csail.mit.edu>
List-id: "support and questions about running Tor relays (exit, non-exit, bridge)" <tor-relays.lists.torproject.org>
References: <Zy0LwfLYx2z9fqiD@localhost> <20241108143151.693feafe@urdn.com.ua> <20241110031559.027c7ea7@urdn.com.ua> <ZzBwjUNCtHyCv8FX@nogrod.csail.mit.edu>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Roger Dingledine <arma@xxxxxxxxxxxxxx>:

> Hi! Can you send me (off-list) the details of what you are seeing?

Done.

The last observation was made Nov. 9 at 11:49 UTC, that is after it was
announced the attacker was shut down.

We no longer see the packets, but we continue to receive reports from
the same mentioned amateurs, the last one is dated 12 Nov 2024 07:57:06
+0800. All mentioned addresses are those of Tor relays, and the
destination port is still ssh.

Excerpt from the report:

  5  11-Nov-2024 12:32:52  DENIED              193.218.118.89   54796      TCP   202.91.160.87       22

This could be simple brute force attacks, but since the reporter blocks
the connections, that seems unlikely. Perhaps the attacker tuned the
attack to a list of networks that are known for triggering reports.

> (3) You are misreading your packets and actually it is more benign
> than you think or otherwise we can find an expected explanation for
> what you are seeing.

No misreading; the attack is benign anyway, the problem is really
with the fools that take these reports seriously.
_______________________________________________
tor-relays mailing list -- tor-relays@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-relays-leave@xxxxxxxxxxxxxxxxxxxx

References:
- [tor-relays] Update: Tor relays source IPs spoofed to mass-scan port 22
  - From: gus
- [tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22
  - From: tor-operator
- [tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22
  - From: tor-operator
- [tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22
  - From: Roger Dingledine

Prev by Author: [tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22
Next by Author: [tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22
Previous by thread: [tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22
Next by thread: [tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22
Index(es):
- Author
- Thread