Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://freesoftwareextremist.com/objects/987d640b-eb7d-438f-8904-8c47631b2c3a">翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Thursday, 07-Nov-2024 15:19:09 JST</a><a href="https://freesoftwareextremist.com/users/Suiseiseki" title="suiseiseki@freesoftwareextremist.com"><img src="https://gnusocial.jp/avatar/789-48-20220724040913.webp" width="48" height="48" alt="翠星石" style="position: absolute; left: 0; top: 0;">翠星石</a><div><a href="https://mastodon.electroncash.de/@georgengelmann/113440072056098023" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><a href="https://mastodon.electroncash.de/@georgengelmann">@georgengelmann</a> There is an attacker spoofing TCP packets with the source IP to pretend to mass-connect to ssh honeypots - meaning that Tor relays are getting TCP RST packets and abuse reports.<br><br>Such attack shouldn't be possible, but BCP38 has seen little implementation.<br><br>It's best to reply to such abuse reports noting that such was an IP spoofing attack and none of such connections came from your server.<br><br><a href="https://forum.torproject.org/t/tor-relays-tor-relays-source-ips-spoofed-to-mass-scan-port-22/15498">https://forum.torproject.org/t/tor-relays-tor-relays-source-ips-spoofed-to-mass-scan-port-22/15498</a> (too bad you cannot view the issue comments without running proprietary gitlab JavaScript).</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3954489#notice-7724811">In conversation</a><time datetime="2024-11-07T15:19:09+09:00" title="Thursday, 07-Nov-2024 15:19:09 JST">about 7 months ago</time> <span>from <span><a href="https://freesoftwareextremist.com/objects/987d640b-eb7d-438f-8904-8c47631b2c3a" rel="external" title="Sent from freesoftwareextremist.com via ActivityPub">freesoftwareextremist.com</a></span></span><a href="https://freesoftwareextremist.com/objects/987d640b-eb7d-438f-8904-8c47631b2c3a">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: forum.torproject.org</div><h5><a href="https://forum.torproject.org/t/tor-relays-tor-relays-source-ips-spoofed-to-mass-scan-port-22/15498">[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?</a></h5><div></div></header><div>Hi relay ops,  A few hours ago I received a forwarded abuse report from Hetzner for  one of my machines running a Tor relay (not exit). Some random ISP was  claiming I was sending SSH connections to them, and at first I  couldn't find any corroborating evidence in my own network logs and I  was ready to dismiss it.  But then I noticed that there is in fact something weird: all 4 of my  machines running Tor relays are seeing *return* TCP traffic (RSTs or  SYN-ACKs) from port 22 from various machi...</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Thursday, 07-Nov-2024 15:19:09 JST翠星石
in reply to
- Georg Engelmann
@georgengelmann There is an attacker spoofing TCP packets with the source IP to pretend to mass-connect to ssh honeypots - meaning that Tor relays are getting TCP RST packets and abuse reports.

Such attack shouldn't be possible, but BCP38 has seen little implementation.

It's best to reply to such abuse reports noting that such was an IP spoofing attack and none of such connections came from your server.

https://forum.torproject.org/t/tor-relays-tor-relays-source-ips-spoofed-to-mass-scan-port-22/15498 (too bad you cannot view the issue comments without running proprietary gitlab JavaScript).
In conversationabout 7 months ago from freesoftwareextremist.compermalink
Attachments
1. Domain not in remote thumbnail source whitelist: forum.torproject.org
  [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
  Hi relay ops, A few hours ago I received a forwarded abuse report from Hetzner for one of my machines running a Tor relay (not exit). Some random ISP was claiming I was sending SSH connections to them, and at first I couldn't find any corroborating evidence in my own network logs and I was ready to dismiss it. But then I noticed that there is in fact something weird: all 4 of my machines running Tor relays are seeing *return* TCP traffic (RSTs or SYN-ACKs) from port 22 from various machi...

Public

Embed Notice

HTML Code

Corresponding Notice