[tor-relays] So long and thanks for all the abuse complaints
Ralph Seichter
m16+tor at monksofcool.net
Tue Dec 5 19:57:39 UTC 2017
On 05.12.17 20:21, r1610091651 wrote:
> how can the hoster determine whether a packet is part of a port scan
> or valid connection request?
One common example of automatically detectable port scans for /24 IPv4
subnets are consecutive connections, in a small amount of time, to
aaa.bbb.ccc.1:80
aaa.bbb.ccc.2:80
aaa.bbb.ccc.3:80
[etc.]
Looking at the logs I received, this traversal of subnets to find open
ports is the most common type of scan for which my exit is being abused.
The logs sometimes show variations like scanning odd-numbered addresses
in one pass and even-numbered in the next, or scans for several subnets
mixed together, but the hoster's monitoring software is quite good at
automatically identifying patterns.
-Ralph
More information about the tor-relays
mailing list