[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

On 8/11/24 08:47, tor-relays+tor-rel...@queer.cat wrote: On 8/11/24 03:14, Red Oaive via tor-relays wrote: I just reset my SYN-ACK detection nft counter and it's still showing activity:    tcp sport 22 tcp flags == 0x12 counter packets 9 bytes 504 This rule will also count SYN-ACKs sent

[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

gus : > I'm writing to share that the origin of the spoofed packets has been > identified and successfully shut down today, thanks to the assistance > from Andrew Morris at GreyNoise and anonymous contributors. Are you sure that it has been effectively shut down? We're still receiving spoofed pac

[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

On Fri, Nov 08, 2024 at 11:14:54AM -0400, tor-relays+tor-rel...@queer.cat wrote: > But > definitely make sure to exclude the IPs of other Tor relays listening on > port 22. That could be why you’re seeing those counters go up. You can get that list of (currently 10) relays via $ curl -s http://1

[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

On 2024-11-08 08:47, tor-relays+tor-rel...@queer.cat wrote: This rule will also count SYN-ACKs sent from your own server to bots trying to connect to your SSH on port 22. The rule is on the source port = 22, not the destination port = 22. Incoming bot connections will not have a sport = 22.

[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

Hello all, those watchdogcyberdefense "specialists" have meanwhile publicly admitted their mistake (of course, hidden in a political wording to create a different impression): https://watchdogcyberdefense.com/2024/11/is-this-attackers-ip-spoofed/ Quote: "This experience got us thinking about t

[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

I just reset my SYN-ACK detection nft counter and it's still showing activity: tcp sport 22 tcp flags == 0x12 counter packets 9 bytes 504 That was in five minutes. On 2024-11-08 03:03, Red Oaive wrote: Thank-you for you efforts, and for the efforts of the anonymous contributors! And let me

[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

My efforts to get them back are/where pretty low, its not much effort for me to set up new relays. The support also didnt gave me much information, so i just created new Relays at Strato, but they are in the same Datacenter as the Ionos ones. Im now checking out other providers for more relays.

[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

On 8/11/24 03:14, Red Oaive via tor-relays wrote: I just reset my SYN-ACK detection nft counter and it's still showing activity:   tcp sport 22 tcp flags == 0x12 counter packets 9 bytes 504 This rule will also count SYN-ACKs sent from your own server to bots trying to connect to your SSH