[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

Red Oaive clearly at ivegotyour.pw
Tue Oct 29 17:55:06 UTC 2024


On 2024-10-29 06:04, Toralf Förster via tor-relays wrote:
> On 10/29/24 04:33, Pierre Bourdon wrote:
>> Some tcpdumps showing random RSTs coming back to my machines running
>> relays (with no traffic being initiated by said machines beforehand):
> 
> You used somethign like this? :
> 
> tcpdump -i enp8s0 'tcp[13] & 4 != 0 && port 22'

You want source port of 22.

For RSTs:
tcpdump -i enp8s0 'tcp[13] & 4 != 0 and src port 22'
For SYN-ACKs:
tcpdump -i eth0 'tcp[13] & 18 != 0 and src port 22'

I tend to use nft counters for stuff like this:

If you don't have a good nft accounting chains set up yet:
nft create table ip accounting
nft create chain ip accounting input { type filter hook input priority 
filter \; policy accept \; }
nft create chain ip accounting output { type filter hook output priority 
filter \; policy accept \; }

And the the counter rule:
nft add rule ip accounting input tcp sport 22 tcp flags == syn\|ack 
counter

You can add them for other source ports too - might be useful to expand 
our scope to some other commonly abused ports like 25.

To check your counts:
nft list table ip accounting


More information about the tor-relays mailing list