Dr Gerard Bulger wrote:
I ran an exit node, but gave up after too many abuse reports that
annoyed my ISP. So I turned al exit ports off, and reports stopped as a
rely. After months and many terabytes of data I get an abuse
complaint that my tor IP has been used for espionage.
“NCSC have been made aware of a report and associated malicious
indicators released by the United States Government relating to
malicious cyber activity. A copy if the report and indicators can be
found at the following link:-
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity
Details within this report indicate network assets which may have been
compromised or associated with malicious activity. We have identified
the following IP address from this report as x.x.x.x As a minimum, it
is recommended that you check systems and any available logs concerned
with the above addresses for indications of malicious activity”
There are no other details as to HOW my tor relay is being used. The
espionage seems to relay on the stupidity of recipients on receiving
emails asking for passwords. I am not sure HOW ISP or relay service can
stop that. Or is it that my relay was being used to transfer the data?
Like Rana, I also wondered if perhaps this traces back to when you ran
an exit node. I haven't taken the time (and probably don't have the
skill) to analyze what is in that report, but others have. You might
find Security Week's write-up helpful:
http://www.securityweek.com/us-attributes-election-hacks-russian-threat-groups
In particular:
While some industry experts applauded the GRIZZLY STEPPE
indicators provided by the U.S. Government, some experts urged
caution for those quickly integrating them into their cyber
defense measures.
"Be careful using the DHS/FBI GRIZZLY STEPPE indicators. Many
are VPS, TOR relays, proxies, etc. which will generate lots
of false positives," Robert M. Lee, founder and CEO of Dragos
Security and a former member of the intelligence community,
Tweeted.
I suspect you are among the "lots of false positives".
I assume my IP was found by way of a DNS leak which I need to look
into. There is nothing else I can do as a relay to stop this or is there?
If this happened when you ran an exit node then you don't need to look
for a DNS leak (I don't see how that would pertain to a relay, anyway)
and you wouldn't need to worry about stopping it (you already have by
not being an exit).
Of course, it is possible you node was actually compromised but I think
Occam's razor argues against that.
Jim
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
