Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

We've definitely seen an up tick in this type of complain. One of the abuse reports for "port scanning" had a log of exactly 3 SYN packets to port 22, IDK why people bother with soemthing like that given the amount of actual SSH scans I see against our infrastructure constantly. New one today t

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

I believe it would be helpful to develop a standard template letter to address these abuse reports. This letter could clarify the ongoing attack, explain the potential for packet spoofing, and outline why responding to a single SYN packet with an abuse letter may not be the most effective use o

Re: [tor-relays] Next Tor Relay Operator meetup - October 26th, 2024 at 1900 UTC

If you are a contributor, maybe mention to staff / security where you want to go? Were you on a / the guests list (it sounds like it)? I really doubt that they would deny you entry if the event just started, maybe be a bit more persistent, and if you know someone inside, call them to get them

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

On Tue, 29 Oct 2024 06:52:13 +0100 Ralph Seichter via tor-relays allegedly wrote: > * Pierre Bourdon: > > > A few hours ago I received a forwarded abuse report from Hetzner for > > one of my machines running a Tor relay (not exit). Some random ISP > > was claiming I was sending SSH connections t

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

On Tue, 29 Oct 2024 07:47:53 + mick allegedly wrote: > > Same here. Middle relay, automated abuse report forwarded by > > Hetzner, for alleged scans of TCP port 22 across several related > > IPv4 class-C networks. I wondered if that was a mistake on the > > reporting third party's end, but gi

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

Yes, I have 11 IP addresses on Hetzner, 3 of which are running Tor relays. Only those 3 received the abuse notice, which tells me Tor IP addresses are specifically targeted. I'm assuming It could be intended to get Tor IP addresses added to various popular block lists. Once they're added to severa

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

On 10/29/24 04:33, Pierre Bourdon wrote: A few hours ago I received a forwarded abuse report from Hetzner for one of my machines running a Tor relay (not exit). Fun fact - the abuse email is in HTML format. No comment. -- Toralf ___ tor-relays mailin

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

On 10/29/24 04:33, Pierre Bourdon wrote: Some tcpdumps showing random RSTs coming back to my machines running relays (with no traffic being initiated by said machines beforehand): You used somethign like this? : tcpdump -i enp8s0 'tcp[13] & 4 != 0 && port 22' -- Toralf ___

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

Could this be the real issue? https://delroth.net/posts/spoofed-mass-scan-abuse/ Greetz, Richie > Am 29.10.2024 um 15:12 schrieb mick : > > On Tue, 29 Oct 2024 07:47:53 + > mick allegedly wrote: > >>> Same here. Middle relay, automated abuse report forwarded by >>> Hetzner, for alleged s