On Tue, Nov 15, 2016 at 12:41:09PM -0800, Arisbe wrote: > One of my tor guard relays is a medium size VPS operating in the Czech > Republic. It's been up and stable for several years. Several weeks ago I > was notified that my VPS was a source of UDP DoS traffic. It was shut down. > Logs showed no intrusions. > > I installed a different instance of linux, changed my SSH port, added > fail2ban and even installed clamav. I did not make changes to the tor exit > policy. Then, this week I received the following: > > "Hello, > surveillance system detected a disproportionate outgoing DoS traffic on your > VPS torexitcz and then our network under a DDoS attack. Your server > torexitcz has been stopped. This is another problem with your VPS. Your > service will be terminated. > Thanks for understanding." > > Can anyone offer an opinion as to how my relay was used for DoS? How can I > avoid this in the future? My goal, as always is to provide stable nodes to > the tor network while protecting myself and my VPS supplier.
Are you running ntpd on the vps? your vps may being used for an ntp reflection attack > > 4061C553CA88021B8302F0814365070AAE617270 > 185.100.85.101 > > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- 1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333 keybase: https://keybase.io/gfa _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
