On 2024-11-08 08:47, tor-relays+tor-rel...@queer.cat wrote:
This rule will also count SYN-ACKs sent from your own server to bots
trying to connect to your SSH on port 22.
The rule is on the source port = 22, not the destination port = 22.
Incoming bot connections will not have a sport = 22.
It is also in a chain hooked only to input packets and will not trigger
on outgoing packets.
~# nft list table ip accounting
table ip accounting {
chain input {
type filter hook input priority filter; policy accept;
...
tcp sport 22 tcp flags == 0x12 counter packets 210 bytes
12360
}
My ssh service is anyway behind knockd, so my machine will never send
out SYN-ACKS. The knockd ssh rule ssh is reject so it will only send
out RSTs.
Also, these have to be coming from more than one source. The byte count
is not an even multiple of the number of packets, meaning that there are
almost assuredly different sources with different stack configurations.
I assess the rule is correctly configured to detect only incoming
syn-acks and that I am seeing SYN-AKCs from multiple machines that were
targetted with SYNs spoofing of my IP.
I am seeing this behavior on a friend's VPS with newly created relay.
None of my more public-facing VPSs that are not involved in Tor are
seeing these.
I would encourage everyone to add the above table and rule so we can
assess how much SYN spoofing is still going on. So far spoofing seems
now reduced in intensity but still occuring. But my data points are few
so more data points and from more established servers than mine would be
valuable.
Oaive
_______________________________________________
tor-relays mailing list -- tor-relays@lists.torproject.org
To unsubscribe send an email to tor-relays-le...@lists.torproject.org