[tor-relays] Tor 0.3.5.x is unsupported, please upgrade
Hello! It's time again to get relays upgraded running an EOL Tor series (0.3.5.x). We'll start reaching out to operators with valid contact information this week and plan to start reject relays which are still on 0.3.5.x about 4 weeks from now on at the begin of March. You can follow along that process in our bug tracker[1] if you want. For the general processes around dealing with EOL relays in the Tor network see my mail from last October[2]. Feedback and improvements are welcome, as always. Georg [1] https://gitlab.torproject.org/tpo/network-health/team/-/issues/171 [2] https://lists.torproject.org/pipermail/tor-relays/2021-October/019862.html OpenPGP_signature Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Introduction message from me :)
On Tuesday, February 1, 2022 4:19:20 PM CET Miryam Webb via tor-relays wrote: > I am a new relay operator and I am glad to make your acquaintance. Currently > my nodes are not processing traffic because they are being rejected by the > directory nodes The first thought that comes to me why the Dirauths are already rejecting you in the ramp up phase: an outdated, unsupported tor version. https://community.torproject.org/relay/setup/ > but I hope that gus will reply soon and that we can get > this working. I have been administrating linux servers for more than 8 > years but I have no experience with running tor nodes. So if you have tips > and tricks a noob should know feel free to write me. :) > > Miryam -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom! signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Exit relays abused to attack Google services
Google is now sending abuse reports complaining of DDoS attacks against their services. While they believe the IPs are participating in a botnet, it is clear that they are Tor exit relays. I don't know why they are sending us the report after the attacks have ended. Besides, since Google services are unusable over Tor, this should not have caused them much damage. I suspect the attacker is trying to get relays shut down by triggering Google reports that would scare off the ISPs. If you are an ISP and you have received the same report, please let me know. I'd like to know if this was global or if we've been "selected". > From: ddos-repo...@google.com > To: ab...@urdn.com.ua > Subject: [#zMto] DDoS from your IPs to Google from 2022-01-28 to > 2022-01-31 > Date: Tue, 01 Feb 2022 20:22:42 + > > We observed IPs under your control participating in DDoS attacks > targeting Google services, including a prolonged DDoS attack from > January 28-31 against the Google Search Console. > > The attacks were Layer 7 / HTTP request floods. Your participating > IPs are listed below, along with the stop time in UTC and targeted > Google IPs. We request that you enforce your Acceptable Use Policy > against these customers. > > +-+-+--+-+ > | Source | Destination | DestPort | Time_UTC| > +-+-+--+-+ > | 193.218.118.62 | 142.250.180.227 | 443 | 2022-01-31 15:55:01 | > | 193.218.118.90 | 142.250.180.195 | 443 | 2022-01-31 15:53:28 | > | 193.218.118.100 | 172.217.19.99 | 443 | 2022-01-31 14:43:09 | > | 193.218.118.101 | 142.250.180.227 | 443 | 2022-01-31 17:32:54 | > | 193.218.118.125 | 142.250.180.227 | 443 | 2022-01-31 15:55:28 | > | 193.218.118.145 | 142.250.180.195 | 443 | 2022-01-31 15:55:30 | > | 193.218.118.147 | 142.251.39.35 | 443 | 2022-01-31 15:41:36 | > | 193.218.118.155 | 142.250.180.195 | 443 | 2022-01-31 13:45:43 | > | 193.218.118.156 | 142.250.180.227 | 443 | 2022-01-31 15:57:52 | > | 193.218.118.158 | 142.250.180.227 | 443 | 2022-01-31 18:41:34 | > | 193.218.118.167 | 142.250.201.195 | 443 | 2022-01-31 15:56:53 | > | 193.218.118.182 | 142.251.39.3| 443 | 2022-01-31 17:31:57 | > | 193.218.118.183 | 142.250.180.227 | 443 | 2022-01-31 17:42:40 | > | 193.218.118.231 | 142.250.180.227 | 443 | 2022-01-31 17:43:08 | > +-+-+--+-+ > > Note we believe some of these IPs are part of the Meris or Dvinis > botnets. If you are a residential Internet service provider, it is > possible that your customers' routers themselves have been > compromised. You should research the Meris botnet and take > appropriate actions to have them secure their CPE (customer-premises > equipment). > > -- > Security Reliability Engineering :: Google :: AS15169 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exit relays abused to attack Google services
Am 2/2/22 um 01:19 schrieb UDN Tor via tor-relays: Google is now sending abuse reports complaining of DDoS attacks against their services. While they believe the IPs are participating in a botnet, it is clear that they are Tor exit relays. I don't know why they are sending us the report after the attacks have ended. Besides, since Google services are unusable over Tor, this should not have caused them much damage. I suspect the attacker is trying to get relays shut down by triggering Google reports that would scare off the ISPs. If you are an ISP and you have received the same report, please let me know. I'd like to know if this was global or if we've been "selected". We received 2 DDoS reports in Oct 2021 and 3 automated scraping notices in Nov and Dec 2021. We are seeing automated scraping of Google Web Search from a large number of your IPs/VMs. Automated scraping violates our /robots.txt file and also our Terms of Service. We request that you enforce your Acceptable Use Policy against these customers. Best kantorkel, Artikel10 From: ddos-repo...@google.com To: ab...@urdn.com.ua Subject: [#zMto] DDoS from your IPs to Google from 2022-01-28 to 2022-01-31 Date: Tue, 01 Feb 2022 20:22:42 + We observed IPs under your control participating in DDoS attacks targeting Google services, including a prolonged DDoS attack from January 28-31 against the Google Search Console. The attacks were Layer 7 / HTTP request floods. Your participating IPs are listed below, along with the stop time in UTC and targeted Google IPs. We request that you enforce your Acceptable Use Policy against these customers. +-+-+--+-+ | Source | Destination | DestPort | Time_UTC| +-+-+--+-+ | 193.218.118.62 | 142.250.180.227 | 443 | 2022-01-31 15:55:01 | | 193.218.118.90 | 142.250.180.195 | 443 | 2022-01-31 15:53:28 | | 193.218.118.100 | 172.217.19.99 | 443 | 2022-01-31 14:43:09 | | 193.218.118.101 | 142.250.180.227 | 443 | 2022-01-31 17:32:54 | | 193.218.118.125 | 142.250.180.227 | 443 | 2022-01-31 15:55:28 | | 193.218.118.145 | 142.250.180.195 | 443 | 2022-01-31 15:55:30 | | 193.218.118.147 | 142.251.39.35 | 443 | 2022-01-31 15:41:36 | | 193.218.118.155 | 142.250.180.195 | 443 | 2022-01-31 13:45:43 | | 193.218.118.156 | 142.250.180.227 | 443 | 2022-01-31 15:57:52 | | 193.218.118.158 | 142.250.180.227 | 443 | 2022-01-31 18:41:34 | | 193.218.118.167 | 142.250.201.195 | 443 | 2022-01-31 15:56:53 | | 193.218.118.182 | 142.251.39.3| 443 | 2022-01-31 17:31:57 | | 193.218.118.183 | 142.250.180.227 | 443 | 2022-01-31 17:42:40 | | 193.218.118.231 | 142.250.180.227 | 443 | 2022-01-31 17:43:08 | +-+-+--+-+ Note we believe some of these IPs are part of the Meris or Dvinis botnets. If you are a residential Internet service provider, it is possible that your customers' routers themselves have been compromised. You should research the Meris botnet and take appropriate actions to have them secure their CPE (customer-premises equipment). -- Security Reliability Engineering :: Google :: AS15169 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exit relays abused to attack Google services
On Wednesday, February 2, 2022 1:19:36 AM CET UDN Tor via tor-relays wrote: > Google is now sending abuse reports complaining of DDoS attacks against > their services. While they believe the IPs are participating in a > botnet, it is clear that they are Tor exit relays. > > I don't know why they are sending us the report after the attacks have > ended. Besides, since Google services are unusable over Tor, this > should not have caused them much damage. > > I suspect the attacker is trying to get relays shut down by triggering > Google reports that would scare off the ISPs. > > If you are an ISP and you have received the same report, please let me > know. I'd like to know if this was global or if we've been "selected". > Yo, I have some from google.com too. Sometimes the IP's of artikel10, relayon and me are together in the abuse log. All normal automated abuse stuff. On relpy's no one answered. -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom! signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Exit relays abused to attack Google services
On Wed, 2 Feb 2022 at 11:05, UDN Tor via tor-relays < tor-relays@lists.torproject.org> wrote: > > > Note we believe some of these IPs are part of the Meris or Dvinis > > botnets. If you are a residential Internet service provider, it is > > possible that your customers' routers themselves have been > > compromised. You should research the Meris botnet and take > > appropriate actions to have them secure their CPE (customer-premises > > equipment). > This is probably the main reason those reports are being sent. Meris is a huge botnet using (at least) tens of thousands of compromised routers. https://www.bleepingcomputer.com/news/security/new-m-ris-botnet-breaks-ddos-record-with-218-million-rps-attack/ Those notices were probably sent automatically to many ISPs hoping some of them would get their customers to fix their routers, and tor exits were probably just not filtered. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
