[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-18 Thread littlehoster.denote399--- via tor-relays
Hi, I had very similar reports to 
[tor-operator_urdn.co](https://forum.torproject.org/u/tor-operator_urdn.co):
DateTime Action AttackClass SourceIP Srcport Protocol DestinationIP DestPort
0 30-Oct-2024 14:06:13 BLOCKED attempted-recon 92.51.45.21 0 202.91.162.47 22
1 30-Oct-2024 14:43:35 BLOCKED attempted-recon 92.51.45.21 0 202.91.162.24 22
2 30-Oct-2024 15:11:40 BLOCKED attempted-recon 92.51.45.21 0 202.91.162.24 22
3 30-Oct-2024 15:19:05 DENIED 92.51.45.21 64006 TCP 202.91.162.172 22
4 30-Oct-2024 15:19:20 BLOCKED attempted-recon 92.51.45.21 0 202.91.162.24 225 
30-Oct-2024 15:44:49 DENIED 92.51.45.21 18054 TCP 202.91.161.94 22
The report is from the same IP-range.___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-11 Thread tor-operator
Roger Dingledine :

> Hi! Can you send me (off-list) the details of what you are seeing?

Done.

The last observation was made Nov. 9 at 11:49 UTC, that is after it was
announced the attacker was shut down.

We no longer see the packets, but we continue to receive reports from
the same mentioned amateurs, the last one is dated 12 Nov 2024 07:57:06
+0800. All mentioned addresses are those of Tor relays, and the
destination port is still ssh.

Excerpt from the report:

  5  11-Nov-2024 12:32:52  DENIED  193.218.118.89   54796  TCP  
 202.91.160.87   22

This could be simple brute force attacks, but since the reporter blocks
the connections, that seems unlikely. Perhaps the attacker tuned the
attack to a list of networks that are known for triggering reports.

> (3) You are misreading your packets and actually it is more benign
> than you think or otherwise we can find an expected explanation for
> what you are seeing.

No misreading; the attack is benign anyway, the problem is really
with the fools that take these reports seriously.
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-11 Thread a tor op via tor-relays
Hi,

A few notes. I don't know if I have missed it but I don't recall seeing bridges 
mentioned in this discussion.

I too have gotten an abuse message/info/alert from my hosting provider (Nov 8, 
03:20 hrs) and I have an OBFS4 BRIDGE, no middle or exit node. And it has 
always been a bridge, from the initial installation/deploy 5+ years ago.
My server was noted as being "blocked in Russia" earlier on the relay search 
tor metrics page, I have noted that this info have been removed from the page, 
I don't know if that is due to the server not being blocked (unlikely?) or the 
info have been removed from all pages, due top false positives etc(?).

This leads me to wonder if this "DOS attack" is being orchestrated from Russia 
somehow?

A tor op



On Sunday, November 10th, 2024 at 9:36 AM, Roger Dingledine 
 wrote:

> On Sun, Nov 10, 2024 at 03:15:59AM -, tor-opera...@urdn.com.ua wrote:
> 
> > I can confirm that the attack has not stopped and that we continue to
> > monitor spoofed packets with Tor relay's IP addresses including the
> > addresses of relays that are at our network.
> > 
> > This continues to trigger the sending of reports from the same amateurs.
> 
> 
> Hi! Can you send me (off-list) the details of what you are seeing?
> 
> I see several possible scenarios:
> 
> (1) The attack stopped in some places but not in others. Or more
> specifically, some addresses are no longer being targeted but others
> still are.
> 
> (2) The attackers moved to some new host and started up the attack again,
> but only to some addresses. Or, some new attacker heard about all the
> excitement and decided to give it a go.
> 
> (3) You are misreading your packets and actually it is more benign than
> you think or otherwise we can find an expected explanation for what you
> are seeing.
> 
> #1 seems unlikely. #2 is definitely possible and we should look for
> evidence that it has happened, so we can pull in our friends and allies
> to do their work again. I am hoping for #3. :)
> 
> Thanks,
> --Roger
> 
> ___
> tor-relays mailing list -- tor-relays@lists.torproject.org
> To unsubscribe send an email to tor-relays-le...@lists.torproject.org
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-10 Thread tor-relays+tor-relays
It’s possible that the attack was filtered upstream, and since you’re 
closer to the attacker, you might still be seeing those spoofed packets. 
Also, if you’re noticing spoofed packets coming from your own network, 
it could indicate a deeper issue. Have you checked if reverse path 
filtering is enabled?


On 9/11/24 23:15, tor-opera...@urdn.com.ua wrote:

I can confirm that the attack has not stopped and that we continue to
monitor spoofed packets with Tor relay's IP addresses including the
addresses of relays that are at our network.

This continues to trigger the sending of reports from the same amateurs.
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-10 Thread Roger Dingledine
On Sun, Nov 10, 2024 at 03:15:59AM -, tor-opera...@urdn.com.ua wrote:
> I can confirm that the attack has not stopped and that we continue to
> monitor spoofed packets with Tor relay's IP addresses including the
> addresses of relays that are at our network.
> 
> This continues to trigger the sending of reports from the same amateurs.

Hi! Can you send me (off-list) the details of what you are seeing?

I see several possible scenarios:

(1) The attack stopped in some places but not in others. Or more
specifically, some addresses are no longer being targeted but others
still are.

(2) The attackers moved to some new host and started up the attack again,
but only to some addresses. Or, some new attacker heard about all the
excitement and decided to give it a go.

(3) You are misreading your packets and actually it is more benign than
you think or otherwise we can find an expected explanation for what you
are seeing.

#1 seems unlikely. #2 is definitely possible and we should look for
evidence that it has happened, so we can pull in our friends and allies
to do their work again. I am hoping for #3. :)

Thanks,
--Roger

___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-09 Thread tor-operator
I can confirm that the attack has not stopped and that we continue to
monitor spoofed packets with Tor relay's IP addresses including the
addresses of relays that are at our network.

This continues to trigger the sending of reports from the same amateurs.
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-08 Thread Carlo P. via tor-relays
Hello all,

those watchdogcyberdefense "specialists" have meanwhile publicly admitted their 
mistake (of course, hidden in a political wording to create a different 
impression):

https://watchdogcyberdefense.com/2024/11/is-this-attackers-ip-spoofed/

Quote: "This experience got us thinking about the need for a swift way to 
identify spoofed IPs involved in attacks that create substantial backscatter 
traffic"

On November 8, 2024 at 4:44 PM,  wrote:

gus :

> I'm writing to share that the origin of the spoofed packets has been

> identified and successfully shut down today, thanks to the assistance

> from Andrew Morris at GreyNoise and anonymous contributors.

Are you sure that it has been effectively shut down? We're still

receiving spoofed packets with IP addresses of Tor relays set as source

after this message has been posted. We've also received more "reports"

from the same newbies after this message was posted.

Our traps even see packets with the IP addresses of Tor relays that are

in the same subnet.

So far we've been able to trace this to a certain peer, we'll be

monitoring.

___

tor-relays mailing list -- tor-relays@lists.torproject.org

To unsubscribe send an email to tor-relays-le...@lists.torproject.org

-- 
Sent with https://mailfence.com  
Secure and private email___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-08 Thread Red Oaive via tor-relays

On 2024-11-08 08:47, tor-relays+tor-rel...@queer.cat wrote:
This rule will also count SYN-ACKs sent from your own server to bots 
trying to connect to your SSH on port 22.


The rule is on the source port = 22, not the destination port = 22.  
Incoming bot connections will not have a sport = 22.


It is also in a chain hooked only to input packets and will not trigger 
on outgoing packets.


~# nft list table ip accounting
table ip accounting {
chain input {
type filter hook input priority filter; policy accept;
...
tcp sport 22 tcp flags == 0x12 counter packets 210 bytes 
12360

}

My ssh service is anyway behind knockd, so my machine will never send 
out SYN-ACKS.  The knockd ssh rule ssh is reject so it will only send 
out RSTs.


Also, these have to be coming from more than one source.  The byte count 
is not an even multiple of the number of packets, meaning that there are 
almost assuredly different sources with different stack configurations.


I assess the rule is correctly configured to detect only incoming 
syn-acks and that I am seeing SYN-AKCs from multiple machines that were 
targetted with SYNs spoofing of my IP.


I am seeing this behavior on a friend's VPS with newly created relay.  
None of my more public-facing VPSs that are not involved in Tor are 
seeing these.


I would encourage everyone to add the above table and rule so we can 
assess how much SYN spoofing is still going on.  So far spoofing seems 
now reduced in intensity but still occuring.  But my data points are few 
so more data points and from more established servers than mine would be 
valuable.


Oaive
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-08 Thread Roger Dingledine
On Fri, Nov 08, 2024 at 11:14:54AM -0400, tor-relays+tor-rel...@queer.cat wrote:
>  But
> definitely make sure to exclude the IPs of other Tor relays listening on
> port 22. That could be why you’re seeing those counters go up.

You can get that list of (currently 10) relays via

$ curl -s http://128.31.0.39:9231/tor/status-vote/current/consensus|grep "^r 
"|grep " 22 0$"

...as long as you're not on the part of the internet that has censored
that IP address, that is. :)

--Roger

___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-08 Thread tor-operator
gus :

> I'm writing to share that the origin of the spoofed packets has been
> identified and successfully shut down today, thanks to the assistance
> from Andrew Morris at GreyNoise and anonymous contributors.

Are you sure that it has been effectively shut down? We're still
receiving spoofed packets with IP addresses of Tor relays set as source
after this message has been posted. We've also received more "reports"
from the same newbies after this message was posted.

Our traps even see packets with the IP addresses of Tor relays that are
in the same subnet.

So far we've been able to trace this to a certain peer, we'll be
monitoring.
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-08 Thread tor-relays+tor-relays



On 8/11/24 08:47, tor-relays+tor-rel...@queer.cat wrote:



On 8/11/24 03:14, Red Oaive via tor-relays wrote:
I just reset my SYN-ACK detection nft counter and it's still showing 
activity:


   tcp sport 22 tcp flags == 0x12 counter packets 9 bytes 504


This rule will also count SYN-ACKs sent from your own server to bots 
trying to connect to your SSH on port 22.


To get the right count for the SYN-ACKs coming back from the spoofed 
packets, you’ll want to exclude your own IP address. You can do that 
like this:


tcp sport 22 tcp flags syn,ack / syn,ack ip saddr != 172.16.254.1 counter


Oops, I sent that email before my morning coffee kicked in! You don’t 
need to worry about excluding your own IP address in the input chain. 
But definitely make sure to exclude the IPs of other Tor relays 
listening on port 22. That could be why you’re seeing those counters go up.




Just swap out 172.16.254.1 with the IP address of your Tor relay.



That was in five minutes.

On 2024-11-08 03:03, Red Oaive wrote:
Thank-you for you efforts, and for the efforts of the anonymous 
contributors!  And let me second the motion requesting (much) more 
information about the perps.


Do we know the full impact though?  The vast majority of relay 
operators seem not to be on the mailing list.  What are the actual 
numbers on how many relays went dark in that period?  I think this is 
a number that would be good to know.  Marie lost 10 IONOS VPSs in one 
shot, and only two are back. Another 10 or so IONOS servers went dark 
at that same time and are still not back.


More than the number of servers lost, it was shown that it's quite 
possible to discredit with an IP spoof.  Given that the effect of 
this should have been exactly zero, I'd (unfortunately) call their 
operation surprisingly successful.


Information and education are the best weapons against any sort of 
discredit attack. I recommend an official educational blog entry from 
the project if (when?) this happens again in the future.  Or was 
there one and I'm just not aware of it?  This is valuable if nothing 
else to reassure relay operators that the project has their backs as 
much as possible and is willing to go to bat for them.


Marie, if you're still on the list, do you want to speak toward your 
efforts to get your shut down servers back?  You are, to my 
knowledge, the person who lost the most in one shot to this.


On 2024-11-07 14:49, gus wrote:

Hello everyone,

I'm writing to share that the origin of the spoofed packets has been
identified and successfully shut down today, thanks to the assistance
from Andrew Morris at GreyNoise and anonymous contributors.

I want to give special thanks to the members of our community who have
dedicated their time and efforts to track down the perpetrators of this
attack.

Although this fake abuse incident had minimal impact on the network --
temporarily taking only a few relays offline -- it has been a
frustrating issue for many relay operators. However, I want to reassure
everyone that this disruption had no effect on Tor users whatsoever.

We're incredibly fortunate to have such a skilled and committed 
group of

relay operators standing with Tor.

Thank you all for your resilience, ongoing support and for making the
Tor network possible by running relays.

Gus
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org

___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-08 Thread marie
My efforts to get them back are/where pretty low, its not much effort 
for me to set up new relays. The support also didnt gave me much 
information, so i just created new Relays at Strato, but they are in the 
same Datacenter as the Ionos ones. Im now checking out other providers 
for more relays. Maybe it was also some combination of other factors why 
they shut down my servers, i had like 13 of the 1€/Month ones, could be 
that it looked like abuse to them.


On 08.11.24 08:03, Red Oaive wrote:
Thank-you for you efforts, and for the efforts of the anonymous 
contributors!  And let me second the motion requesting (much) more 
information about the perps.


Do we know the full impact though?  The vast majority of relay 
operators seem not to be on the mailing list.  What are the actual 
numbers on how many relays went dark in that period?  I think this is 
a number that would be good to know.  Marie lost 10 IONOS VPSs in one 
shot, and only two are back. Another 10 or so IONOS servers went dark 
at that same time and are still not back.


More than the number of servers lost, it was shown that it's quite 
possible to discredit with an IP spoof.  Given that the effect of this 
should have been exactly zero, I'd (unfortunately) call their 
operation surprisingly successful.


Information and education are the best weapons against any sort of 
discredit attack. I recommend an official educational blog entry from 
the project if (when?) this happens again in the future.  Or was there 
one and I'm just not aware of it?  This is valuable if nothing else to 
reassure relay operators that the project has their backs as much as 
possible and is willing to go to bat for them.


Marie, if you're still on the list, do you want to speak toward your 
efforts to get your shut down servers back?  You are, to my knowledge, 
the person who lost the most in one shot to this.


On 2024-11-07 14:49, gus wrote:

Hello everyone,

I'm writing to share that the origin of the spoofed packets has been
identified and successfully shut down today, thanks to the assistance
from Andrew Morris at GreyNoise and anonymous contributors.

I want to give special thanks to the members of our community who have
dedicated their time and efforts to track down the perpetrators of this
attack.

Although this fake abuse incident had minimal impact on the network --
temporarily taking only a few relays offline -- it has been a
frustrating issue for many relay operators. However, I want to reassure
everyone that this disruption had no effect on Tor users whatsoever.

We're incredibly fortunate to have such a skilled and committed group of
relay operators standing with Tor.

Thank you all for your resilience, ongoing support and for making the
Tor network possible by running relays.

Gus
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org

___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-08 Thread tor-relays+tor-relays



On 8/11/24 03:14, Red Oaive via tor-relays wrote:
I just reset my SYN-ACK detection nft counter and it's still showing 
activity:


   tcp sport 22 tcp flags == 0x12 counter packets 9 bytes 504


This rule will also count SYN-ACKs sent from your own server to bots 
trying to connect to your SSH on port 22.


To get the right count for the SYN-ACKs coming back from the spoofed 
packets, you’ll want to exclude your own IP address. You can do that 
like this:


tcp sport 22 tcp flags syn,ack / syn,ack ip saddr != 172.16.254.1 counter

Just swap out 172.16.254.1 with the IP address of your Tor relay.



That was in five minutes.

On 2024-11-08 03:03, Red Oaive wrote:
Thank-you for you efforts, and for the efforts of the anonymous 
contributors!  And let me second the motion requesting (much) more 
information about the perps.


Do we know the full impact though?  The vast majority of relay 
operators seem not to be on the mailing list.  What are the actual 
numbers on how many relays went dark in that period?  I think this is 
a number that would be good to know.  Marie lost 10 IONOS VPSs in one 
shot, and only two are back. Another 10 or so IONOS servers went dark 
at that same time and are still not back.


More than the number of servers lost, it was shown that it's quite 
possible to discredit with an IP spoof.  Given that the effect of this 
should have been exactly zero, I'd (unfortunately) call their 
operation surprisingly successful.


Information and education are the best weapons against any sort of 
discredit attack. I recommend an official educational blog entry from 
the project if (when?) this happens again in the future.  Or was there 
one and I'm just not aware of it?  This is valuable if nothing else to 
reassure relay operators that the project has their backs as much as 
possible and is willing to go to bat for them.


Marie, if you're still on the list, do you want to speak toward your 
efforts to get your shut down servers back?  You are, to my knowledge, 
the person who lost the most in one shot to this.


On 2024-11-07 14:49, gus wrote:

Hello everyone,

I'm writing to share that the origin of the spoofed packets has been
identified and successfully shut down today, thanks to the assistance
from Andrew Morris at GreyNoise and anonymous contributors.

I want to give special thanks to the members of our community who have
dedicated their time and efforts to track down the perpetrators of this
attack.

Although this fake abuse incident had minimal impact on the network --
temporarily taking only a few relays offline -- it has been a
frustrating issue for many relay operators. However, I want to reassure
everyone that this disruption had no effect on Tor users whatsoever.

We're incredibly fortunate to have such a skilled and committed group of
relay operators standing with Tor.

Thank you all for your resilience, ongoing support and for making the
Tor network possible by running relays.

Gus
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org

___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-08 Thread Red Oaive via tor-relays
I just reset my SYN-ACK detection nft counter and it's still showing 
activity:


  tcp sport 22 tcp flags == 0x12 counter packets 9 bytes 504

That was in five minutes.

On 2024-11-08 03:03, Red Oaive wrote:
Thank-you for you efforts, and for the efforts of the anonymous 
contributors!  And let me second the motion requesting (much) more 
information about the perps.


Do we know the full impact though?  The vast majority of relay 
operators seem not to be on the mailing list.  What are the actual 
numbers on how many relays went dark in that period?  I think this is a 
number that would be good to know.  Marie lost 10 IONOS VPSs in one 
shot, and only two are back. Another 10 or so IONOS servers went dark 
at that same time and are still not back.


More than the number of servers lost, it was shown that it's quite 
possible to discredit with an IP spoof.  Given that the effect of this 
should have been exactly zero, I'd (unfortunately) call their operation 
surprisingly successful.


Information and education are the best weapons against any sort of 
discredit attack. I recommend an official educational blog entry from 
the project if (when?) this happens again in the future.  Or was there 
one and I'm just not aware of it?  This is valuable if nothing else to 
reassure relay operators that the project has their backs as much as 
possible and is willing to go to bat for them.


Marie, if you're still on the list, do you want to speak toward your 
efforts to get your shut down servers back?  You are, to my knowledge, 
the person who lost the most in one shot to this.


On 2024-11-07 14:49, gus wrote:

Hello everyone,

I'm writing to share that the origin of the spoofed packets has been
identified and successfully shut down today, thanks to the assistance
from Andrew Morris at GreyNoise and anonymous contributors.

I want to give special thanks to the members of our community who have
dedicated their time and efforts to track down the perpetrators of 
this

attack.

Although this fake abuse incident had minimal impact on the network --
temporarily taking only a few relays offline -- it has been a
frustrating issue for many relay operators. However, I want to 
reassure

everyone that this disruption had no effect on Tor users whatsoever.

We're incredibly fortunate to have such a skilled and committed group 
of

relay operators standing with Tor.

Thank you all for your resilience, ongoing support and for making the
Tor network possible by running relays.

Gus
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org

___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-07 Thread Red Oaive via tor-relays
Thank-you for you efforts, and for the efforts of the anonymous 
contributors!  And let me second the motion requesting (much) more 
information about the perps.


Do we know the full impact though?  The vast majority of relay operators 
seem not to be on the mailing list.  What are the actual numbers on how 
many relays went dark in that period?  I think this is a number that 
would be good to know.  Marie lost 10 IONOS VPSs in one shot, and only 
two are back. Another 10 or so IONOS servers went dark at that same time 
and are still not back.


More than the number of servers lost, it was shown that it's quite 
possible to discredit with an IP spoof.  Given that the effect of this 
should have been exactly zero, I'd (unfortunately) call their operation 
surprisingly successful.


Information and education are the best weapons against any sort of 
discredit attack. I recommend an official educational blog entry from 
the project if (when?) this happens again in the future.  Or was there 
one and I'm just not aware of it?  This is valuable if nothing else to 
reassure relay operators that the project has their backs as much as 
possible and is willing to go to bat for them.


Marie, if you're still on the list, do you want to speak toward your 
efforts to get your shut down servers back?  You are, to my knowledge, 
the person who lost the most in one shot to this.


On 2024-11-07 14:49, gus wrote:

Hello everyone,

I'm writing to share that the origin of the spoofed packets has been
identified and successfully shut down today, thanks to the assistance
from Andrew Morris at GreyNoise and anonymous contributors.

I want to give special thanks to the members of our community who have
dedicated their time and efforts to track down the perpetrators of this
attack.

Although this fake abuse incident had minimal impact on the network --
temporarily taking only a few relays offline -- it has been a
frustrating issue for many relay operators. However, I want to reassure
everyone that this disruption had no effect on Tor users whatsoever.

We're incredibly fortunate to have such a skilled and committed group 
of

relay operators standing with Tor.

Thank you all for your resilience, ongoing support and for making the
Tor network possible by running relays.

Gus
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org

___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-07 Thread Ralph Seichter via tor-relays
* Roger Dingledine:

> We should expect some more days of fallout, while mistaken abuse
> complaints are still being processed by various hosters.

You called it. Mere minutes ago, Hetzner forwarded another complaint,
for a grand total of 9 (yes, nine, what a gruesome level of abuse)
spoofed connection attempts over the course of November 5 and 6.

The destination addresses were part of the known class C subnets already
reported here, and the source of the complaint were of course the
tireless dolts at watchdogcyberdefense.com. Unsurprisingly, I can't tell
if Hetzner is not done processing old complaints, or if the complaining
party is still generating fresh mail based on their accumulated backlog.

Apart from that: My thanks to everybody who helped clamping down on this.

-Ralph
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-07 Thread Chris Enkidu-6
Hi Gus,

Would you please expand on that a bit please? Was it a single server, a
network of them, one provider or multiple of them, etc...?

I doubt this was the work of a single person simply because they were
bored. I'm assuming we should still keep a lookout for
them to simply rent a bunch of more servers and continue.

By the way, I just received two more abuse reports an hour ago regarding
scans that happened on Nov. 6 so this might hopefully be before the stop
of the attacks.

Thank you

Enkidu


On 11/7/2024 1:49 PM, gus wrote:
> Hello everyone,
>
> I'm writing to share that the origin of the spoofed packets has been
> identified and successfully shut down today, thanks to the assistance
> from Andrew Morris at GreyNoise and anonymous contributors.
>
> I want to give special thanks to the members of our community who have
> dedicated their time and efforts to track down the perpetrators of this
> attack. 
>
> Although this fake abuse incident had minimal impact on the network --
> temporarily taking only a few relays offline -- it has been a
> frustrating issue for many relay operators. However, I want to reassure
> everyone that this disruption had no effect on Tor users whatsoever.
>
> We're incredibly fortunate to have such a skilled and committed group of
> relay operators standing with Tor.
>
> Thank you all for your resilience, ongoing support and for making the
> Tor network possible by running relays.
>
> Gus
>
> ___
> tor-relays mailing list -- tor-relays@lists.torproject.org
> To unsubscribe send an email to tor-relays-le...@lists.torproject.org
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-07 Thread Roger Dingledine
On Thu, Nov 07, 2024 at 03:49:37PM -0300, gus wrote:
> I'm writing to share that the origin of the spoofed packets has been
> identified and successfully shut down today, thanks to the assistance
> from Andrew Morris at GreyNoise and anonymous contributors.

Yay. Thanks Gus, and especially thanks Andrew.

We should expect some more days of fallout, while mistaken abuse
complaints are still being processed by various hosters. That is, if
you get a complaint from your hoster tomorrow, be sure to check the
timestamp before worrying that there is some new variant of the attack.

That said, everybody please do keep watch for some future variation of
this attack. All the attack needs is a hosting provider that doesn't do
egress filtering, i.e. that lets its users pretend to be anybody anywhere
on the internet. Those hosting providers are supposed to be gone from
the world decages ago, but well, the world is flawed in many ways and
this isn't the worst of them. :) At least if it happens again soon,
many people understand the attack now and they will be ready to track
it down quickly again.

--Roger

___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org


[tor-relays] Re: Update: Tor relays source IPs spoofed to mass-scan port 22

2024-11-07 Thread Tor Gateplanets via tor-relays
That's great news!  Kudos to all who helped track this done.

On Thu, Nov 7, 2024, at 12:49 PM, gus wrote:
> Hello everyone,
> 
> I'm writing to share that the origin of the spoofed packets has been
> identified and successfully shut down today, thanks to the assistance
> from Andrew Morris at GreyNoise and anonymous contributors.
> 
> I want to give special thanks to the members of our community who have
> dedicated their time and efforts to track down the perpetrators of this
> attack. 
> 
> Although this fake abuse incident had minimal impact on the network --
> temporarily taking only a few relays offline -- it has been a
> frustrating issue for many relay operators. However, I want to reassure
> everyone that this disruption had no effect on Tor users whatsoever.
> 
> We're incredibly fortunate to have such a skilled and committed group of
> relay operators standing with Tor.
> 
> Thank you all for your resilience, ongoing support and for making the
> Tor network possible by running relays.
> 
> Gus
> -- 
> The Tor Project
> Community Team Lead
> 
> ___
> tor-relays mailing list -- tor-relays@lists.torproject.org
> To unsubscribe send an email to tor-relays-le...@lists.torproject.org
> 
> 
> *Attachments:*
>  • signature.asc
___
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org