[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
mick
mbm at rlogin.net
Tue Oct 29 13:23:17 UTC 2024
On Tue, 29 Oct 2024 07:47:53 +0000
mick <mbm at rlogin.net> allegedly wrote:
> > Same here. Middle relay, automated abuse report forwarded by
> > Hetzner, for alleged scans of TCP port 22 across several related
> > IPv4 class-C networks. I wondered if that was a mistake on the
> > reporting third party's end, but given that I am not the only on,
> > it seems there is more to it.
>
> Me too. Middle relay on Hetzner. Alleged SSH scans from my relay. I
> have not yet had time to investigate, but will do so later today.
>
> Mick
I have taken a look at my relay and noted activity like this a short
while ago.
105.812429380 202.91.162.47 → 95.216.198.252 TCP 54 22 → 18588 [RST,
ACK] Seq=1 Ack=1 Win=5840 Len=0
113.387329574 202.91.163.206 → 95.216.198.252 TCP 54 22 → 41567
[RST, ACK] Seq=1 Ack=1 Win=4128 Len=0
So - resets coming from a host I have not attempted to connect to.
I have informed hetzner and pointed them to the tor-project note at
https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/85
given by Roger Dingledine.
Mick
---------------------------------------------------------------------
Mick Morgan
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
blog: baldric.net
---------------------------------------------------------------------
More information about the tor-relays
mailing list