[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

tor-relays+tor-relays at queer.cat tor-relays+tor-relays at queer.cat
Tue Oct 29 10:42:45 UTC 2024 

I believe it would be helpful to develop a standard template letter to 
address these abuse reports. This letter could clarify the ongoing 
attack, explain the potential for packet spoofing, and outline why 
responding to a single SYN packet with an abuse letter may not be the 
most effective use of time.

On 29/10/24 00:33, Pierre Bourdon wrote:
> Hi relay ops,
> 
> A few hours ago I received a forwarded abuse report from Hetzner for
> one of my machines running a Tor relay (not exit). Some random ISP was
> claiming I was sending SSH connections to them, and at first I
> couldn't find any corroborating evidence in my own network logs and I
> was ready to dismiss it.
> 
> But then I noticed that there is in fact something weird: all 4 of my
> machines running Tor relays are seeing *return* TCP traffic (RSTs or
> SYN-ACKs) from port 22 from various machines all over the world, at a
> very low rate. Kind of like someone spoofing source IPs to send SYNs
> everywhere. I can't figure out at all whether that's actually what's
> happening and what the intent would be though.
> 
> Some tcpdumps showing random RSTs coming back to my machines running
> relays (with no traffic being initiated by said machines beforehand):
> 
> 04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags
> [R.], seq 0, ack 171173954, win 0, length 0
> 04:20:15.135733 IP 124.198.33.196.22 > 172.105.199.155.23506: Flags
> [R.], seq 0, ack 1985822135, win 0, length 0
> 04:21:30.222739 IP 223.29.149.158.22 > 172.105.199.155.27507: Flags
> [R.], seq 0, ack 3614869158, win 0, length 0
> 
> 04:14:25.286063 IP 45.187.212.68.22 > 195.201.9.37.59639: Flags [R.],
> seq 0, ack 41396686, win 0, length 0
> 04:14:25.291455 IP 107.152.7.33.22 > 195.201.9.37.39793: Flags [R.],
> seq 0, ack 1391844539, win 0, length 0
> 04:14:25.322255 IP 107.91.78.158.22 > 195.201.9.37.48900: Flags [R.],
> seq 0, ack 1434896088, win 65535, length 0
> 
> 04:12:39.470366 IP 121.150.242.252.22 > 77.109.152.87.57627: Flags
> [R.], seq 0, ack 2452733863, win 0, length 0
> 04:13:05.549920 IP 46.188.201.102.22 > 77.109.152.87.9999: Flags [R.],
> seq 0, ack 3253922544, win 0, length 0
> 04:14:33.027326 IP 1.1.195.62.22 > 77.109.152.87.52448: Flags [R.],
> seq 0, ack 351972505, win 0, length 0
> 
> By any chance, any other relay ops seeing the same thing, or am I just
> going crazy? (it does kind of sound insane...)
> 
> Any speculation as to the reason for this?
> 
> Best,
>

More information about the tor-relays mailing list