[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

Chris Enkidu-6 tor at wcbsecurity.com
Tue Oct 29 07:17:37 UTC 2024 

Yes, I have 11 IP addresses on Hetzner, 3 of which are running Tor
relays. Only those 3 received the abuse notice, which tells me Tor IP
addresses are specifically targeted.

I'm assuming It could be intended to get Tor IP addresses added to
various popular block lists. Once they're added to several block lists,
all kinds of traffic with those source addresses are affected, not just
traffic to port 22.

Regards,

Enkidu

On 10/28/2024 11:33 PM, Pierre Bourdon wrote:
> Hi relay ops,
>
> A few hours ago I received a forwarded abuse report from Hetzner for
> one of my machines running a Tor relay (not exit). Some random ISP was
> claiming I was sending SSH connections to them, and at first I
> couldn't find any corroborating evidence in my own network logs and I
> was ready to dismiss it.
>
> But then I noticed that there is in fact something weird: all 4 of my
> machines running Tor relays are seeing *return* TCP traffic (RSTs or
> SYN-ACKs) from port 22 from various machines all over the world, at a
> very low rate. Kind of like someone spoofing source IPs to send SYNs
> everywhere. I can't figure out at all whether that's actually what's
> happening and what the intent would be though.
>
> Some tcpdumps showing random RSTs coming back to my machines running
> relays (with no traffic being initiated by said machines beforehand):
>
> 04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags
> [R.], seq 0, ack 171173954, win 0, length 0
> 04:20:15.135733 IP 124.198.33.196.22 > 172.105.199.155.23506: Flags
> [R.], seq 0, ack 1985822135, win 0, length 0
> 04:21:30.222739 IP 223.29.149.158.22 > 172.105.199.155.27507: Flags
> [R.], seq 0, ack 3614869158, win 0, length 0
>
> 04:14:25.286063 IP 45.187.212.68.22 > 195.201.9.37.59639: Flags [R.],
> seq 0, ack 41396686, win 0, length 0
> 04:14:25.291455 IP 107.152.7.33.22 > 195.201.9.37.39793: Flags [R.],
> seq 0, ack 1391844539, win 0, length 0
> 04:14:25.322255 IP 107.91.78.158.22 > 195.201.9.37.48900: Flags [R.],
> seq 0, ack 1434896088, win 65535, length 0
>
> 04:12:39.470366 IP 121.150.242.252.22 > 77.109.152.87.57627: Flags
> [R.], seq 0, ack 2452733863, win 0, length 0
> 04:13:05.549920 IP 46.188.201.102.22 > 77.109.152.87.9999: Flags [R.],
> seq 0, ack 3253922544, win 0, length 0
> 04:14:33.027326 IP 1.1.195.62.22 > 77.109.152.87.52448: Flags [R.],
> seq 0, ack 351972505, win 0, length 0
>
> By any chance, any other relay ops seeing the same thing, or am I just
> going crazy? (it does kind of sound insane...)
>
> Any speculation as to the reason for this?
>
> Best,
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241029/11b1324e/attachment.htm>

More information about the tor-relays mailing list