[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)



> New to the list, I run a Tor exit node from my small cable modem connection
> in Honolulu, as well as for a short time on a few on VPS's to prove to

> Over the last several weeks, I have collected substantial evidence
> indicating that a botnet is degrading the Tor anonymity network in its
> entirety via a sustained denial of service attack. I believe it is made to
> blend in with all the other crazy packets that an exit node generates, but
> it is pretty easy to spot if you just look at the RST's or drops coming off
> your node, all from a static unused destination port.  If you change the IP
> address of your node, it will take about 90 minutes before they identify
> your IP and you start getting attacked again.
> Do a whois lookup on a few of
> those VPS IP addresses and you will see the country involved.

> Wondering what other folks are seeing with their relays.

> UTC DATE        UTC TIME        IP      SRC-ISP SPT     DST     DST-ISP DPT
> Flags
> 2013-03-28      7:33:38 173.208.95.126  Nobis Technology Group, LLC     2571
> 66.8.214.196    Road Runner     8118    [S]

I believe 8118 is polipo/privoxy gateway and that you are simple seeing
usual internet 'bot' scans for that proxy and box is returning normal closed
reset to syns.

You may collate this flow data by ip and report the unwanted traffic to the
arin netblock and ptr domain contacts. Or ignore it as waste of time if
packet rate is acceptable loss to internet noise.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays