[tor-relays] Again: abuse email for non-exit relay (masergy)
ronqtorrelays at risley.net
ronqtorrelays at risley.net
Sun May 3 21:36:34 UTC 2020
I got a *bunch* (harassment-level) of telephone calls from my ISP similar to this. They refused to do anything by email, and wouldn't tell me anything more about the supposed port-scanning attacks. They just kept asking me to "make sure Windows and my router firmware were up to date." (No Windows, no router.) They kept saying that I was port-scanning a machine in the 10.x address space. When I finally got someone who knew enough to know that wasn't a routable address, they *still* couldn't tell me anything about the nature of the complaint. I finally had to threaten legal action, at which point they *still* refused to disclose anything about the complaint, but at least stopped calling me. The *hours* on the phone revealed only two things: the complaint was originating from somewhere in the Chicago (US) area, and the "port" I was "scanning" was always 9002.
My relay was also a non-exit. Needless to say, I was monitoring my network traffic and there was no "port scanning" going on. My best guess is that some kindergartener in a sysadmin suit (or incompetent security suite vendor, if that's not redundant) configured a firewall to automatically report accesses via port 9002 as port scanning and they have a relay behind said firewall.
As much as I would have welcomed the opportunity to educate and assist the operator of this misconfigured security system, my ISP would never divulge any contact information.
Just a data point.
--Ron
> On May 3, 2020, at 14:15, <gerard at bulger.co.uk> <gerard at bulger.co.uk> wrote:
>
> That is really unhelpful of them to state Type of Attack/Scan: Generic Hosts: 10.10.10.182 which is non-routable address. Something on their LAN is wrong. You cannot even respond by blocking their actual WAN IP in torrc.
>
> Ask for the real WAN IP of their network so you can block the attack
>
>
>
>
> -----Original Message-----
> From: tor-relays <tor-relays-bounces at lists.torproject.org> On Behalf Of lists at for-privacy.net
> Sent: 03 May 2020 21:16
> To: tor-relays at lists.torproject.org
> Subject: [tor-relays] Again: abuse email for non-exit relay (masergy)
>
> Hi,
>
> got multiple abuse in the last 2 weeks.
>
> 2 relays with 2 IP run on the server. Someone is always hammering my OR port on one IP. (37.157.255.118:9002) https://metrics.torproject.org/rs.html#details/BD2A34ADE4E603A272FAAD23AEF389801BB223BB
> https://metrics.torproject.org/rs.html#details/8EE44717FA55705C12086F3ECD1F8D9C8676FD05
>
>
> What can I do?
>
> Found that in the archive:
> https://lists.torproject.org/pipermail/tor-relays/2017-September/013030.html
>
>
> the 5th complaint:
> ##############################################################################################################
>
> To Whom it May Concern,
>
> You have a system on your network that is actively scanning and/or
> attacking external sites on the Internet. This can come from many
> sources and because it is often difficult to detect this activity, we
> are sending this E-mail in an attempt to help you solve the problem.
>
> We have detected your system with an IP of, 37.157.255.118, scanning a
> client we monitor. This was not a short attack but a prolonged scan
> and/or probe that was designed to find and intrude into the target
> network.
>
> This may be someone on your network who is actively trying to hack
> others. This person may be a legitimate user on your network or it may
> be that this system has been compromised and is being used by someone to
> hack others. It is also likely that the system is running automated
> tools that have been installed to perform these actions without any
> human intervention.
>
> Below is the information about the attack. Keep in mind that the source
> IP of our client has been sanitized for anonymity.
>
> Date: 04/30/2020
> Time: 11:05:37
> Time Zone: America/Chicago
> Source(s): 37.157.255.118
> Type of Attack/Scan: Generic
> Hosts: 10.10.10.182
> Log:
>
> 37.157.255.118:9002 > 10.10.10.182:24562
>
> Possible Cause:
>
>
> Thank you for your attention to this matter,
>
> Masergy
> email: esp at masergy.com
>
> --
> ╰_╯ Ciao Marco!
>
> Debian GNU/Linux
>
> It's free software and it gives you freedom!
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list