By any chance did anyone recently also get an abuse report from "watchdogcyberdefense.com"?
Hetzner forwarded one to me claiming that my server has been ssh-scanning some random network, but uh, I've looked for a while and can't find any evidence of weirdness (granted, can't easily prove a negative). And that company seems awfully fishy in terms of online presence.
I'm half expecting it to be spam but I can't figure out what their strategy would be. Or incompetence perhaps?
Pierre Bourdon
Unknown parent • • •Pierre Bourdon
in reply to Pierre Bourdon • • •The plot thickens: I'm indeed not seeing any traffic coming from my host to that network.
... but I'm getting some random TCP resets from port 22 from multiple hosts in that net. No other traffic, this is literally a tcpdump net 202.91.160.0/20:
02:52:19.702913 IP 202.91.162.26.22 > 195.201.9.37.49424: Flags [R.], seq 0, ack 3809994527, win 0, length 0
gist.github.com/delroth/3c606f…
wtf? I'm completely out of idea as to what could lead to this. *Only* resets too!
gist:3c606fc924af2e86bb74466c26749d6d
GistPierre Bourdon
in reply to Pierre Bourdon • • •And just to rule out the almost-impossible: this happens to be a VM, and the hypervisor is not seeing anything different, so the level of sophistication that would be needed to hide an actual compromise there seems unlikely.
What *are* those TCP resets? They're not only coming from that net either, but it's a fairly low rate, like a few/min. Doesn't match any pattern I'm familiar with!
scriptjunkie
in reply to Pierre Bourdon • • •nmap.org/book/idlescan.html
TCP Idle Scan (-sI) | Nmap Network Scanning
nmap.orgPierre Bourdon
in reply to scriptjunkie • • •@sj idle scan hasn't been useful in like 20 years, basically every OS randomizes IP IDs. As far as I know, at least.
Which means scanning by spoofing my source IP would be... completely useless? And I'd expect to see more than just resets, but I've checked, it's just resets!
baloo
in reply to Pierre Bourdon • • •Pierre Bourdon
in reply to baloo • • •baloo
in reply to baloo • • •Pierre Bourdon
in reply to baloo • • •baloo
in reply to Pierre Bourdon • • •Pierre Bourdon
in reply to Pierre Bourdon • • •Update: just saw some SYN-ACKs coming my way!
03:35:25.544116 IP 52.12.88.80.22 > 195.201.9.37.32275: Flags [S.], seq 4074918552, ack 511250182, win 62727, options [mss 1460], length 0
Which... I guess means someone is mass-scanning the internet from my source IP? But what would even be the point? Did someone just typo my IP address in their scanner?
What the actual fuck?
endrift
in reply to Pierre Bourdon • • •presumably trying to get your IPv4 blacklisted for bad behavior, even though you're not actually doing anything.
No clue why though, or any other possibility here.
Pierre Bourdon
in reply to endrift • • •Pierre Bourdon
in reply to Pierre Bourdon • • •OK, plot twist that makes even less sense at first.
I was seeing those RSTs/SYN-ACKs coming from port 22s from all over the world on my Hetzner box.
Turns out: I'M SEEING THEM ALSO ON MY HOME ROUTER.
In a different country. On a different AS.
(What the actual fuck?)²
03:59:22.698260 IP 14.46.196.239.22 > 77.109.152.87.5927: Flags [R.], seq 0, ack 3379901407, win 0, length 0
04:02:28.961426 IP 126.145.148.68.22 > 77.109.152.87.20305: Flags [R.], seq 0, ack 3947105288, win 0, length 0
Pierre Bourdon
in reply to Pierre Bourdon • • •Luckily there's only few things that my Hetzner box and my home router have in common.
1. They have a *.delroth.net name.
2. They run a Tor relay on their IPv4. Note: RELAY, they don't send any arbitrary traffic to the internet.
Also luckily I have a 3rd machine also in a completely different country and a completely different AS (Linode, Japan) but that also runs a Tor relay. And:
04:19:14.705034 IP 198.30.233.69.22 > 172.105.199.155.39998: Flags [R.], seq 0, ack 171173954, win 0, length 0
Pierre Bourdon
in reply to Pierre Bourdon • • •Which still doesn't answer what the fuck is going on, but most likely someone is mass-connecting to port 22 and using source IP addresses from random Tor relays? Maybe?
I can't make any more sense of it, but that sounds like something that maybe I could envision someone doing?
Do I know other people running #tor relays here that could check if they also receive random RSTs from random machines' port 22?
Pierre Bourdon
in reply to Pierre Bourdon • • •A few hours and an email to tor-relays later: gitlab.torproject.org/tpo/netw…
(thread: lists.torproject.org/pipermail…)
Still no closer to the actual root cause here, but…
Dir auths getting abuse complaints about port 22 scanning (#85) · Issues · The Tor Project / Network Health / Analysis · GitLab
GitLabKiskae
in reply to Pierre Bourdon • • •Pierre Bourdon
in reply to Kiskae • • •🆘Bill Cole 🇺🇦
in reply to Pierre Bourdon • • •Pierre Bourdon
in reply to 🆘Bill Cole 🇺🇦 • • •Pierre Bourdon
Unknown parent • • •@arcayr nope, nothing weird networking-wise on that machine. And as I was replying to someone else, idle scan is like dead since 20 years ago, everything randomizes IP ID since like Linux 2.6.something...
And if it was some kind of scanning, I'd expect to see more than just resets too!
Jeroen Baert
in reply to Pierre Bourdon • • •Chaz6
in reply to Pierre Bourdon • • •