[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
Richie
richie at zuviel.org
Wed Oct 30 05:58:36 UTC 2024
Could this be the real issue? https://delroth.net/posts/spoofed-mass-scan-abuse/
Greetz,
Richie
> Am 29.10.2024 um 15:12 schrieb mick <mbm at rlogin.net>:
>
> On Tue, 29 Oct 2024 07:47:53 +0000
> mick <mbm at rlogin.net> allegedly wrote:
>
>>> Same here. Middle relay, automated abuse report forwarded by
>>> Hetzner, for alleged scans of TCP port 22 across several related
>>> IPv4 class-C networks. I wondered if that was a mistake on the
>>> reporting third party's end, but given that I am not the only on,
>>> it seems there is more to it.
>>
>> Me too. Middle relay on Hetzner. Alleged SSH scans from my relay. I
>> have not yet had time to investigate, but will do so later today.
>>
>> Mick
>
> I have taken a look at my relay and noted activity like this a short
> while ago.
>
> 105.812429380 202.91.162.47 → 95.216.198.252 TCP 54 22 → 18588 [RST,
> ACK] Seq=1 Ack=1 Win=5840 Len=0
> 113.387329574 202.91.163.206 → 95.216.198.252 TCP 54 22 → 41567
> [RST, ACK] Seq=1 Ack=1 Win=4128 Len=0
>
> So - resets coming from a host I have not attempted to connect to.
>
> I have informed hetzner and pointed them to the tor-project note at
> https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/85
> given by Roger Dingledine.
>
> Mick
>
>
> ---------------------------------------------------------------------
> Mick Morgan
> gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312
> blog: baldric.net
> ---------------------------------------------------------------------
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241030/96819fa0/attachment.htm>
More information about the tor-relays
mailing list