tor-relays October 2024

tor-relays@lists.torproject.org

34 participants
19 discussions

Tor relays source IPs spoofed to mass-scan port 22?
by Pierre Bourdon 06 Nov '24

06 Nov '24

Hi relay ops, A few hours ago I received a forwarded abuse report from Hetzner for one of my machines running a Tor relay (not exit). Some random ISP was claiming I was sending SSH connections to them, and at first I couldn't find any corroborating evidence in my own network logs and I was ready to dismiss it. But then I noticed that there is in fact something weird: all 4 of my machines running Tor relays are seeing *return* TCP traffic (RSTs or SYN-ACKs) from port 22 from various machines all over the world, at a very low rate. Kind of like someone spoofing source IPs to send SYNs everywhere. I can't figure out at all whether that's actually what's happening and what the intent would be though. Some tcpdumps showing random RSTs coming back to my machines running relays (with no traffic being initiated by said machines beforehand): 04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags [R.], seq 0, ack 171173954, win 0, length 0 04:20:15.135733 IP 124.198.33.196.22 > 172.105.199.155.23506: Flags [R.], seq 0, ack 1985822135, win 0, length 0 04:21:30.222739 IP 223.29.149.158.22 > 172.105.199.155.27507: Flags [R.], seq 0, ack 3614869158, win 0, length 0 04:14:25.286063 IP 45.187.212.68.22 > 195.201.9.37.59639: Flags [R.], seq 0, ack 41396686, win 0, length 0 04:14:25.291455 IP 107.152.7.33.22 > 195.201.9.37.39793: Flags [R.], seq 0, ack 1391844539, win 0, length 0 04:14:25.322255 IP 107.91.78.158.22 > 195.201.9.37.48900: Flags [R.], seq 0, ack 1434896088, win 65535, length 0 04:12:39.470366 IP 121.150.242.252.22 > 77.109.152.87.57627: Flags [R.], seq 0, ack 2452733863, win 0, length 0 04:13:05.549920 IP 46.188.201.102.22 > 77.109.152.87.9999: Flags [R.], seq 0, ack 3253922544, win 0, length 0 04:14:33.027326 IP 1.1.195.62.22 > 77.109.152.87.52448: Flags [R.], seq 0, ack 351972505, win 0, length 0 By any chance, any other relay ops seeing the same thing, or am I just going crazy? (it does kind of sound insane...) Any speculation as to the reason for this? Best, -- Pierre Bourdon <delroth(a)gmail.com> Software Engineer @ Zürich, Switzerland https://delroth.net/

20 32

Please check if your relay has fallen out of the consensus
by Roger Dingledine 02 Nov '24

02 Nov '24

Hi folks! We're hunting down a mystery where two of our big university relays are having troubles reaching the Tor directory authorities: https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/86 Can you check to see if your relay is in a similar situation? In particular, the situation to look for is "Tor process is still running fine from your perspective, but, relay-search (https://atlas.torproject.org/) says you are no longer running." If your relay is in this situation, the next step is to check your Tor logs, try to rule out other issues like firewall rules on your side, and then (if you're able) to start exploring traceroutes to the directory authority IP addresses vs other addresses. If you need more direct help, we can help you debug or answer other questions on #tor-relays on IRC. Thanks, --Roger

5 7

"When you pay peanuts, you get monkeys"
by mick 01 Nov '24

01 Nov '24

Hi there. I found the title of the above blog post highly ironic. I run a Tor relay (middle and guard node). You appear to be sending automated "abuse" reports to other ISPS as a result of what is obviously (well obvious to anyone who studies the network traffic properly) spoofed source address connections to SSH port 22 on random servers around the net. These "abuse" reports cause the ISP hosting the /real/ address of the spoofed server to do one of two things. Either they just pass the report on to the server admin for investigation, or they simply shut down the srevr in question and lock the account of the operator. In either case the perfectly innocent Tor server admin is highly inconvenienced and the bad actor(s) doing the spoofing scans get the Tor relay addresses blacklisted. This is detrimental to the health of the Tor network. Please look carefully at your automated abuse reporting system and add some intelligence to it - preferably by getting a properly skilled network administrator to look at the traffic /before/ firing off a spurious report. (Oh and BTW, SSH scanning at scale is so much part of the background noise on the 'net that I am astounded that you should pay much attention to it at all. I don't.) Best Mick --------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 blog: baldric.net ---------------------------------------------------------------------

2 2

Re: [tor-relays] Tor relays source IPs spoofed to mass-scan port 22?
by Carlo P. 31 Oct '24

31 Oct '24

Just received today two abuse tickets... On October 31, 2024 at 9:29 AM, Pierre Bourdon <delroth(a)gmail.com> wrote: On Tue, Oct 29, 2024, 03:33 Pierre Bourdon <delroth(a)gmail.com> wrote: By any chance, any other relay ops seeing the same thing, or am I just going crazy? (it does kind of sound insane...) Any speculation as to the reason for this? My own write-up and explanation (and speculation) is available at https://delroth.net/posts/spoofed-mass-scan-abuse/ as a reference. I've had a few people email me saying they had the same scare moment after getting an abuse report and they ended up finding my article, so I'd like to think it's already helped a bit! I also received an email today from Hetzner's legal team saying that they have read my article (props on them, I didn't send it to them myself!). They are monitoring the situation on their side and emphasized that they do not usually take action on this kind of reports they have recently been forwarding to Tor relay operators. So at least for others hosting relays at Hetzner I don't think it's worth worrying too much. For other hosting providers, your mileage may vary. _______________________________________________ tor-relays mailing list tor-relays(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- Sent with https://mailfence.com Secure and private email

1 0

[tor-project] Reminder: mailman 3 upgrade imminent (TPA-RFC-71)
by Antoine Beaupré 29 Oct '24

29 Oct '24

Hi, As mentioned in early October, we're in the process of upgrading our main mail server, which includes upgrading to the shiny new Mailman 3 platform. We have, right now, a prototype mailman 3 server available at: https://lists-01.torproject.org/ It's hidden behind the usual "trivial" authentication (ask us on IRC if you don't remember what it is), but should otherwise work normally. I'm going to start by migrating the TPA mailing list and we'll be testing this for a couple of days, but, next week, I'll start migrating the other mailing lists (including this one!). If people want to jump in front of that train early and be part of the beta testers, then by all means I'm happy to have your mailing list be part of the early adopters. Be warned that Mailman 3 is a significant upgrade from Mailman 2. There are some great things (like unified authentication), and some less great things (like a more complex design and "shinier" web interface that might not be everyone's taste). As a reminder, we're doing this upgrade a little rushed because the main mail server is now unsupported for security upgrades. See the details of the proposal here: https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-71-emerge… ... with the milestone tracking actual work issues in: https://gitlab.torproject.org/groups/tpo/tpa/-/milestones/16 (Sorry for cross-posting this, but this seems like it warrants wider distribution. As a rule of thumb, I selected mailing lists with public archives that had posts in October 2024, removing duplicates like anti-censorship-team and -alerts. I also suspect many of those mailing lists will refuse my message because I'm not subscribed, but I will have tried. :)) Phew! a. -- Antoine Beaupré torproject.org system administration _______________________________________________ tor-project mailing list tor-project(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project

1 0

Re: [tor-relays] Please check if your relay has fallen out of the consensus
by denny.obreham＠a-n-o-n-y-m-e.net 28 Oct '24

28 Oct '24

As an update, once I showed the link from OONI to my ISP, they offered to move my server to another location at no charge. So the Tor server was moved from India to the UK. (Actually, I built a new one from scratch.) So I will mention here this ISP - Contabo.com - for their great customer service and understanding of what Tor represents. They have automatically and temporarily blocked my IP address - and informed me that they did - 2 or 3 times in the past because they felt it was under a DDoS attack, and I'm OK with that. At one point, communicating with their support team, one person even wrote this to me: We are glad to support your efforts in maintaining these relays, as they play a crucial role in fighting censorship and promoting internet freedom. Thank you for your ongoing trust and partnership. I initially chose them because they have few exit relays (only 12 as of today, 4 of them being mine, but there are about 100 other non-exit relays). With that kind of service, I'm wondering why they are not more popular for exit relays. Denny On 2024-10-22 15:41, tor-relays(a)queer.cat wrote: > > > On 22/10/24 12:08, denny.obreham(a)a-n-o-n-y-m-e.net wrote: >> I still haven't found a solution to my problem I stated earlier in my email with the subject "Exit relay not in consensus" https:// lists.torproject.org/pipermail/tor-relays/2024-October/021899.html <https://lists.torproject.org/pipermail/tor-relays/2024-October/021899. html> >> >> >> The most helpful answers were from Sebastian <https:// lists.torproject.org/pipermail/tor-relays/2024-October/021909.html> and George <https://lists.torproject.org/pipermail/tor-relays/2024- October/021918.html>. I contacted the ASN but never received a response. My ISP was useless as they jus t repeated "We don't block traffic." > > > Iâve gone through the original thread you shared and found an OONI result that supports the notion that your ASN (141995) is blocking Tor directory authorities. You can view the result here: > > https://explorer.ooni.org/m/20241001034902.297107_US_tor_d6973b06186ed4 3a > >> >> >> As of today, the server is still active and running. You can't find it in the metrics but it is still in the consensus <https://consensus- health.torproject.org/consensus-health.html? #7BDDE0E7607A5F49578768F44CD721793FA2D7AE>. >> >> >> I did not have much time lately and have no clue what I can do from this point forward. >> >> >> Denny >> >> >> On 2024-10-22 04:48, Roger Dingledine wrote: >> >> Hi folks! We're hunting down a mystery where two of our big university relays are having troubles reaching the Tor directory authorities: https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/86 Can you check to see if your relay is in a similar situation? In particular, the situation to look for is "Tor process is still running fine from your perspective, but, relay-search (https:// atlas.torproject.org/) says you are no longer running." If your relay is in this situation, the next step is to check your Tor logs, try to rule out other issues like firewall rules on your side, and then (if you're able) to start exploring traceroutes to the directory authority IP addresses vs other addresses. If you need more direct help, we can help you debug or answer other questions on #tor-relays on IRC. Thanks, -- Roger _______________________________________________ tor-relays mailing list tor-relays(a)lists.torproject.org https://lists.torproject.org/cgi- bin/mailman/listinfo/tor-relays >> >> >> >> >> _______________________________________________ >> tor-relays mailing list >> tor-relays(a)lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >

2 1

Next Tor Relay Operator meetup - October 26th, 2024 at 1900 UTC
by gus 27 Oct '24

27 Oct '24

Dear operators, Save the date: the next Tor Relay Operator will happen Saturday, October 26th, 2024 at 19.00 UTC[1]! We're still working on the agenda for this meetup, however feel free to add your topics directly to the gitlab issue below or use the tor-relays mailing list: https://gitlab.torproject.org/tpo/community/relays/-/issues/100. ## Agenda 1. Announcements 2. Network Health updates - New proposal: Framework for running Tor Network Health investigations https://gitlab.torproject.org/tpo/community/policies/-/issues/25 3. OTF relay operator survey summary/presentation 4. Osservatorio Nessuno presentation - https://osservatorionessuno.org/ 5. Questions & Answers ## How to join us Meetup details: - Room link: https://tor.meet.coop/gus-og0-x74-dzn - When: Saturday, October 26th, 2024 - 19.00 UTC - Duration: 60 to 90 minutes - Tor Code of Conduct: https://community.torproject.org/policies/code_of_conduct/ - Registration: No need for a registration or anything else, just use the room-linkabove. We will open the room 10 minutes before. cheers, Gus [1] If you're confused about UTC and your timezone, @anarcat maintains a cool project called undertime - https://gitlab.com/anarcat/undertime -- The Tor Project Community Team Lead

3 4

DDOS mitigation with nftables
by Top 25 Oct '24

25 Oct '24

Hi all, My tor relays[1] traffic decreased a lot and I think this *might* be connected to some kind of DDOS attack. So I wanted to use this situation to set up some DDOS protection. For that I stumbled upon Enkidus tor DDOS mitigation script. [2] However, this script is made for `iptables`, not `nftables`. I use `firewalld` with `nftables` on my system, since this seems to be the new default. [3] I don't really know that much about firewalls, so this situation overwhelms me a bit. In the README of Enkidus rules it says: > Practically all linux systems come with iptables or more recently with nftables which basically does the same and more. So you won't need to install iptables. Just type iptables -V . If you see a version, you have it. The same with ipset . An ipset -v will do the job. In some rare cases you may not have ipset installed and installing it is as simple as apt-get ipset or yum install ipset or... This seems to imply that the script should work fine with `nftables` as well. This is also what Enkidu seems to state in a relevant gitlab issue: [4] > nftables interprets all the iptables rules just fine so the provided scripts will work regardless of which one you have. But it's not true! The script failed on my server, complaining that the `iptables` command couldn't be found (and no rules had been applied). So how can I apply proper DDOS protection firewall rules whilst using `nftables`? Is there some easy way to modify the script to make it work? Kind regards Top [1]: https://metrics.torproject.org/rs.html#search/toptor [2]: https://github.com/Enkidu-6/tor-ddos [3]: https://wiki.debian.org/nftables [4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093

6 8

Botnet targeting Tor relays
by anon＠kai.sx 24 Oct '24

24 Oct '24

Hello, I run several Linux root servers, spread over several providers, some of which serve as Tor relays. For a few weeks now I have been observing massive brute force attempts via SSH from hundreds of sources around the world. However, only the Tor relays are affected, the rest of the servers are not. Are other relay operators also observing something like this? Is there currently a botnet targeting Tor relays? Best, Kai.

7 7

Re: [tor-relays] Please check if your relay has fallen out of the consensus
by denny.obreham＠a-n-o-n-y-m-e.net 22 Oct '24

22 Oct '24

I still haven't found a solution to my problem I stated earlier in my email with the subject "Exit relay not in consensus" [1]https://lists.torproject.org/pipermail/tor-relays/2024-October/02189 9.html The most helpful answers were from [2]Sebastian and [3]George. I contacted the ASN but never received a response. My ISP was useless as they just repeated "We don't block traffic." As of today, the server is still active and running. You can't find it in the metrics but it is still in the [4]consensus. I did not have much time lately and have no clue what I can do from this point forward. Denny On 2024-10-22 04:48, Roger Dingledine wrote: Hi folks! We're hunting down a mystery where two of our big university relays are having troubles reaching the Tor directory authorities: https://gitlab.torproject.org/tpo/network-health/analysis/-/issues/86 Can you check to see if your relay is in a similar situation? In particular, the situation to look for is "Tor process is still running fine from your perspective, but, relay-search (https://atlas.torproject.org/) says you are no longer running." If your relay is in this situation, the next step is to check your Tor logs, try to rule out other issues like firewall rules on your side, and then (if you're able) to start exploring traceroutes to the directory authority IP addresses vs other addresses. If you need more direct help, we can help you debug or answer other questions on #tor-relays on IRC. Thanks, --Roger _______________________________________________ tor-relays mailing list tor-relays(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-relays October 2024