[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Botnet

To: "tor-relays@xxxxxxxxxxxxxxxxxxxx" <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-relays] Botnet
From: teor <teor2345@xxxxxxxxx>
Date: Wed, 26 Aug 2015 00:17:35 +1000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 25 Aug 2015 10:17:54 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:references:from:content-type:in-reply-to:message-id:date:to :content-transfer-encoding:mime-version; bh=Jj78FFmxjppf0k5Bo8wBHJZaGt+KvHpOFtp44Sun0eo=; b=xeucGP/Jpw4er6S4QqY91yLg2RlK5nvuxnGUBMaEaXVUW3eQCKMzEEbnCioUDpWr4/ U9O7VOS8flrkFPE4BOnqlnXVvIxEBAHsyO1A5j29QuBMlYWBmhY/9IH0evKUhzDr52g2 EHrajdSVxkoIyiTu1hD/73ig0XKKbeQV6ju2cHKQhpio4LNIkD3v9yegUj8ouIkbUQmS NKaG5v/HLOa9DiaP1jhSybpvVTjLSpewdcA+mSRCt8v5VoJuo6ypudpG49tLFs352O6S cTsxMisEDElFxtv2+uiY49gyv/Qv07Cxqs93K/55YFKIaFiWNJRX1fD+EQHGF/oDqan5 WEyQ==
In-reply-to: <trinity-fa30a0ea-06fe-4832-91a8-9b6abe09cace-1440510883322@3capp-gmx-bs34>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <trinity-fa30a0ea-06fe-4832-91a8-9b6abe09cace-1440510883322@3capp-gmx-bs34>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On 25 Aug 2015, at 23:54, Heiko Tropartz <butary@xxxxxx> wrote:

Hello,

my ISP deactivated the network traffic of my tor-exit relay because the server is part of the following botnets:

- Wapomi
- AldiBot
- Darkness Bot

In the last 2 hours I analysed the sparse log files and checked the system by checksums I created after the installation.

The linux server is clean.

I send an answer to my ISP, that the server is only an exit-relay for Tor traffic. I also attached a list security software including configurations that I installed.

But the network traffic keeps blocked until I guarantee for a secure network traffic.

Can someone advise me what to do?

Any tips and hints?

It's unfortunate your provider doesn't understand the concept of an overlay network, or even the concept of a proxy.

If they are going to continue to judge you by your traffic, here's how you can change the traffic allowed through your exit:

If the botnets connect to particular IP addresses or ports, you can block those in your Tor Exit policy or server firewall.

Alternately, if the complainants / honeypots are on particular IPs, you can block those.

You might have to ask your ISP what IPs or ports are generating the complaints.

Tim (teor)

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
pgp 0xABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Botnet
  - From: Heiko Tropartz

Prev by Author: Re: [tor-relays] Calling for more Exit Relays
Next by Author: Re: [tor-relays] onionoo.thecthulhu.com: 500 Server Error
Previous by thread: [tor-relays] Botnet
Next by thread: [tor-relays] bwauth graph for August 2015
Index(es):
- Author
- Thread