[tor-relays] So long and thanks for all the abuse complaints

Ralph Seichter m16+tor at monksofcool.net
Tue Dec 5 19:57:39 UTC 2017


On 05.12.17 20:21, r1610091651 wrote:

> how can the hoster determine whether a packet is part of a port scan
> or valid connection request?

One common example of automatically detectable port scans for /24 IPv4
subnets are consecutive connections, in a small amount of time, to

  aaa.bbb.ccc.1:80
  aaa.bbb.ccc.2:80
  aaa.bbb.ccc.3:80
  [etc.]

Looking at the logs I received, this traversal of subnets to find open
ports is the most common type of scan for which my exit is being abused.

The logs sometimes show variations like scanning odd-numbered addresses
in one pass and even-numbered in the next, or scans for several subnets
mixed together, but the hoster's monitoring software is quite good at
automatically identifying patterns.

-Ralph


More information about the tor-relays mailing list