[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)
From: grarpamp <grarpamp@xxxxxxxxx>
Date: Thu, 28 Mar 2013 13:21:16 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 28 Mar 2013 13:21:27 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=lWJ9AW+uyXJBukv75Yr/QgjYOpKCiwfnSDjfyV/mT9U=; b=ODTkvI2OMB5JJJON0vXXWiLWdTQPMYeIMrLFHcgA4O484bWAgeFnzbCvh09iwpMkIh X7m2WtSSn4dkGryb3IeR9ZMFnk42mvyYxDO2C/CwpF14oDkzJa0+GlEXYdn9qz34yxh4 uSlg3q6feZf4tyWdZLdlQ49w4eUAXCQCOdZm0UeYg11yNxcXpWNry5RG2p9vEuZ5taAI BIOmDkONE5raQhocf0ieMXsHZ8kOU46fFI+qGOAMo12gb+HDnTrrbUGmY5JNohzMnu35 bMAxqnCz5FLz04STTKhKEEPpI8qibWIeP16vEGZfufVraiDcmK3X5xG9Uvo08agEY3bI AsdA==
In-reply-to: <001e01ce2b9c$ef8d4af0$cea7e0d0$@kentbackman.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays $exit, non-exit, bridge$" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <001e01ce2b9c$ef8d4af0$cea7e0d0$@kentbackman.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx

> New to the list, I run a Tor exit node from my small cable modem connection
> in Honolulu, as well as for a short time on a few on VPS's to prove to

> Over the last several weeks, I have collected substantial evidence
> indicating that a botnet is degrading the Tor anonymity network in its
> entirety via a sustained denial of service attack. I believe it is made to
> blend in with all the other crazy packets that an exit node generates, but
> it is pretty easy to spot if you just look at the RST's or drops coming off
> your node, all from a static unused destination port.  If you change the IP
> address of your node, it will take about 90 minutes before they identify
> your IP and you start getting attacked again.
> Do a whois lookup on a few of
> those VPS IP addresses and you will see the country involved.

> Wondering what other folks are seeing with their relays.

> UTC DATE        UTC TIME        IP      SRC-ISP SPT     DST     DST-ISP DPT
> Flags
> 2013-03-28      7:33:38 173.208.95.126  Nobis Technology Group, LLC     2571
> 66.8.214.196    Road Runner     8118    [S]

I believe 8118 is polipo/privoxy gateway and that you are simple seeing
usual internet 'bot' scans for that proxy and box is returning normal closed
reset to syns.

You may collate this flow data by ip and report the unwanted traffic to the
arin netblock and ptr domain contacts. Or ignore it as waste of time if
packet rate is acceptable loss to internet noise.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)
  - From: Matt Joyce

References:
- [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)
  - From: Kent Backman

Prev by Author: Re: [tor-relays] DynDNS and TOR bridge
Next by Author: Re: [tor-relays] Local problem or Authority problem?
Previous by thread: Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)
Next by thread: Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)
Index(es):
- Author
- Thread