[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: possible DoS attack?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Bennett wrote:
(snip)
> What I
> found that seemed out of the ordinary was many dozens of connections to my
> directory mirror port from 83.103.38.65 (fastweb65.ietnet.net)
(snip)
>      83.103.38.65 does not appear in my cached-consensus or cached-descriptors*
> files, so these are not simply tunneled directory connections from random
> sites getting funneled through one tor server in Italy.
>      Can anyone tell me whether this is legitimate activity or whether I should
> begin blocking it at my router to encourage it to go away?
(snip)

It sounds mighty suspicious, in my opinion.

If I recall correctly, directory mirroring is based on HTTP (hence, why
it's encouraged to host it on port 80 for "fascist firewalled" folks, if
at all possible). Therefore, it would be vulnerable to any "fundamental"
attack (i.e., based on the nature of TCP or HTTP) that any Web server
would be.

Given that the system you mention doesn't seem to be a Tor node, I say
that if it's not an attack, then something's pretty weird.

I'm no expert, but I say block the offending system. Does anyone else
concur?

- --
F. Fox
Owner of Tor node "kitsune"
CompTIA A+, Net+, Security+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHXzJobgkxCAzYBCMRArCRAJ0Xv7oRjoXcnHuETZ7vn6k4IpsaGwCfcJ9t
sfTLWKVAzbOMtURdnEswPW0=
=F8zz
-----END PGP SIGNATURE-----