[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?



I believe it would be helpful to develop a standard template letter to address these abuse reports. This letter could clarify the ongoing attack, explain the potential for packet spoofing, and outline why responding to a single SYN packet with an abuse letter may not be the most effective use of time.

On 29/10/24 00:33, Pierre Bourdon wrote:
Hi relay ops,

A few hours ago I received a forwarded abuse report from Hetzner for
one of my machines running a Tor relay (not exit). Some random ISP was
claiming I was sending SSH connections to them, and at first I
couldn't find any corroborating evidence in my own network logs and I
was ready to dismiss it.

But then I noticed that there is in fact something weird: all 4 of my
machines running Tor relays are seeing *return* TCP traffic (RSTs or
SYN-ACKs) from port 22 from various machines all over the world, at a
very low rate. Kind of like someone spoofing source IPs to send SYNs
everywhere. I can't figure out at all whether that's actually what's
happening and what the intent would be though.

Some tcpdumps showing random RSTs coming back to my machines running
relays (with no traffic being initiated by said machines beforehand):

04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags
[R.], seq 0, ack 171173954, win 0, length 0
04:20:15.135733 IP 124.198.33.196.22 > 172.105.199.155.23506: Flags
[R.], seq 0, ack 1985822135, win 0, length 0
04:21:30.222739 IP 223.29.149.158.22 > 172.105.199.155.27507: Flags
[R.], seq 0, ack 3614869158, win 0, length 0

04:14:25.286063 IP 45.187.212.68.22 > 195.201.9.37.59639: Flags [R.],
seq 0, ack 41396686, win 0, length 0
04:14:25.291455 IP 107.152.7.33.22 > 195.201.9.37.39793: Flags [R.],
seq 0, ack 1391844539, win 0, length 0
04:14:25.322255 IP 107.91.78.158.22 > 195.201.9.37.48900: Flags [R.],
seq 0, ack 1434896088, win 65535, length 0

04:12:39.470366 IP 121.150.242.252.22 > 77.109.152.87.57627: Flags
[R.], seq 0, ack 2452733863, win 0, length 0
04:13:05.549920 IP 46.188.201.102.22 > 77.109.152.87.9999: Flags [R.],
seq 0, ack 3253922544, win 0, length 0
04:14:33.027326 IP 1.1.195.62.22 > 77.109.152.87.52448: Flags [R.],
seq 0, ack 351972505, win 0, length 0

By any chance, any other relay ops seeing the same thing, or am I just
going crazy? (it does kind of sound insane...)

Any speculation as to the reason for this?

Best,


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays