[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Again: abuse email for non-exit relay (masergy)

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Again: abuse email for non-exit relay (masergy)
From: ronqtorrelays@xxxxxxxxxx
Date: Sun, 3 May 2020 14:36:34 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 03 May 2020 17:49:58 -0400
In-reply-to: <042601d6218f$f4340c60$dc9c2520$@bulger.co.uk>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays $exit, non-exit, bridge$" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <600e536e6c306336e223399b23ab94fa@for-privacy.net> <042601d6218f$f4340c60$dc9c2520$@bulger.co.uk>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

I got a *bunch* (harassment-level) of telephone calls from my ISP similar to this. They refused to do anything by email, and wouldn't tell me anything more about the supposed port-scanning attacks. They just kept asking me to "make sure Windows and my router firmware were up to date." (No Windows, no router.) They kept saying that I was port-scanning a machine in the 10.x address space. When I finally got someone who knew enough to know that wasn't a routable address, they *still* couldn't tell me anything about the nature of the complaint. I finally had to threaten legal action, at which point they *still* refused to disclose anything about the complaint, but at least stopped calling me. The *hours* on the phone revealed only two things: the complaint was originating from somewhere in the Chicago (US) area, and the "port" I was "scanning" was always 9002.

My relay was also a non-exit. Needless to say, I was monitoring my network traffic and there was no "port scanning" going on. My best guess is that some kindergartener in a sysadmin suit (or incompetent security suite vendor, if that's not redundant) configured a firewall to automatically report accesses via port 9002 as port scanning and they have a relay behind said firewall.

As much as I would have welcomed the opportunity to educate and assist the operator of this misconfigured security system, my ISP would never divulge any contact information.

Just a data point.

--Ron

> On May 3, 2020, at 14:15, <gerard@xxxxxxxxxxxx> <gerard@xxxxxxxxxxxx> wrote:
> 
> That is really unhelpful of them to state Type of Attack/Scan: Generic  Hosts: 10.10.10.182 which is non-routable address.  Something on their LAN is wrong.   You cannot even respond by blocking their actual WAN IP in torrc.  
> 
> Ask for the real WAN IP of their network so you can block the attack
> 
> 
> 
> 
> -----Original Message-----
> From: tor-relays <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx> On Behalf Of lists@xxxxxxxxxxxxxxx
> Sent: 03 May 2020 21:16
> To: tor-relays@xxxxxxxxxxxxxxxxxxxx
> Subject: [tor-relays] Again: abuse email for non-exit relay (masergy)
> 
> Hi,
> 
> got multiple abuse in the last 2 weeks.
> 
> 2 relays with 2 IP run on the server. Someone is always hammering my OR port on one IP. (37.157.255.118:9002) https://metrics.torproject.org/rs.html#details/BD2A34ADE4E603A272FAAD23AEF389801BB223BB
> https://metrics.torproject.org/rs.html#details/8EE44717FA55705C12086F3ECD1F8D9C8676FD05
> 
> 
> What can I do?
> 
> Found that in the archive:
> https://lists.torproject.org/pipermail/tor-relays/2017-September/013030.html
> 
> 
> the 5th complaint:
> ##############################################################################################################
> 
> To Whom it May Concern,
> 
> You have a system on your network that is actively scanning and/or 
> attacking external sites on the Internet.  This can come from many 
> sources and because it is often difficult to detect this activity, we 
> are sending this E-mail in an attempt to help you solve the problem.
> 
> We have detected your system with an IP of, 37.157.255.118, scanning a 
> client we monitor.  This was not a short attack but a prolonged scan 
> and/or probe that was designed to find and intrude into the target 
> network.
> 
> This may be someone on your network who is actively trying to hack 
> others. This person may be a legitimate user on your network or it may 
> be that this system has been compromised and is being used by someone to 
> hack others. It is also likely that the system is running automated 
> tools that have been installed to perform these actions without any 
> human intervention.
> 
> Below is the information about the attack.  Keep in mind that the source 
> IP of our client has been sanitized for anonymity.
> 
> Date: 04/30/2020
> Time: 11:05:37
> Time Zone: America/Chicago
> Source(s): 37.157.255.118
> Type of Attack/Scan: Generic
> Hosts: 10.10.10.182
> Log:
> 
> 37.157.255.118:9002 > 10.10.10.182:24562
> 
> Possible Cause:
> 
> 
> Thank you for your attention to this matter,
> 
> Masergy
> email: esp@xxxxxxxxxxx
> 
> -- 
> ╰_╯ Ciao Marco!
> 
> Debian GNU/Linux
> 
> It's free software and it gives you freedom!
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Again: abuse email for non-exit relay (masergy)
  - From: lists

References:
- [tor-relays] Again: abuse email for non-exit relay (masergy)
  - From: lists
- Re: [tor-relays] Again: abuse email for non-exit relay (masergy)
  - From: gerard

Prev by Author: Re: [tor-relays] Bridge log indicates missing geoipdb
Next by Author: Re: [tor-relays] Tor Relay Web Ports
Previous by thread: Re: [tor-relays] Again: abuse email for non-exit relay (masergy)
Next by thread: Re: [tor-relays] Again: abuse email for non-exit relay (masergy)
Index(es):
- Author
- Thread