I got a *bunch* (harassment-level) of telephone calls from my ISP similar to this. They refused to do anything by email, and wouldn't tell me anything more about the supposed port-scanning attacks. They just kept asking me to "make sure Windows and my router firmware were up to date." (No Windows, no router.) They kept saying that I was port-scanning a machine in the 10.x address space. When I finally got someone who knew enough to know that wasn't a routable address, they *still* couldn't tell me anything about the nature of the complaint. I finally had to threaten legal action, at which point they *still* refused to disclose anything about the complaint, but at least stopped calling me. The *hours* on the phone revealed only two things: the complaint was originating from somewhere in the Chicago (US) area, and the "port" I was "scanning" was always 9002.
My relay was also a non-exit. Needless to say, I was monitoring my network traffic and there was no "port scanning" going on. My best guess is that some kindergartener in a sysadmin suit (or incompetent security suite vendor, if that's not redundant) configured a firewall to automatically report accesses via port 9002 as port scanning and they have a relay behind said firewall. As much as I would have welcomed the opportunity to educate and assist the operator of this misconfigured security system, my ISP would never divulge any contact information. Just a data point. --Ron > On May 3, 2020, at 14:15, <[email protected]> <[email protected]> wrote: > > That is really unhelpful of them to state Type of Attack/Scan: Generic > Hosts: 10.10.10.182 which is non-routable address. Something on their LAN is > wrong. You cannot even respond by blocking their actual WAN IP in torrc. > > Ask for the real WAN IP of their network so you can block the attack > > > > > -----Original Message----- > From: tor-relays <[email protected]> On Behalf Of > [email protected] > Sent: 03 May 2020 21:16 > To: [email protected] > Subject: [tor-relays] Again: abuse email for non-exit relay (masergy) > > Hi, > > got multiple abuse in the last 2 weeks. > > 2 relays with 2 IP run on the server. Someone is always hammering my OR port > on one IP. (37.157.255.118:9002) > https://metrics.torproject.org/rs.html#details/BD2A34ADE4E603A272FAAD23AEF389801BB223BB > https://metrics.torproject.org/rs.html#details/8EE44717FA55705C12086F3ECD1F8D9C8676FD05 > > > What can I do? > > Found that in the archive: > https://lists.torproject.org/pipermail/tor-relays/2017-September/013030.html > > > the 5th complaint: > ############################################################################################################## > > To Whom it May Concern, > > You have a system on your network that is actively scanning and/or > attacking external sites on the Internet. This can come from many > sources and because it is often difficult to detect this activity, we > are sending this E-mail in an attempt to help you solve the problem. > > We have detected your system with an IP of, 37.157.255.118, scanning a > client we monitor. This was not a short attack but a prolonged scan > and/or probe that was designed to find and intrude into the target > network. > > This may be someone on your network who is actively trying to hack > others. This person may be a legitimate user on your network or it may > be that this system has been compromised and is being used by someone to > hack others. It is also likely that the system is running automated > tools that have been installed to perform these actions without any > human intervention. > > Below is the information about the attack. Keep in mind that the source > IP of our client has been sanitized for anonymity. > > Date: 04/30/2020 > Time: 11:05:37 > Time Zone: America/Chicago > Source(s): 37.157.255.118 > Type of Attack/Scan: Generic > Hosts: 10.10.10.182 > Log: > > 37.157.255.118:9002 > 10.10.10.182:24562 > > Possible Cause: > > > Thank you for your attention to this matter, > > Masergy > email: [email protected] > > -- > ╰_╯ Ciao Marco! > > Debian GNU/Linux > > It's free software and it gives you freedom! > _______________________________________________ > tor-relays mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > _______________________________________________ > tor-relays mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
