Wild ass day in the Tor node operator world. Got an email from my VPS, forwarding a complaint from WatchDog CyberSecurity saying that my box was scanning SSH ports!

> Oh no, oh no, I knew I should have set up fail2ban, oh god why was I so lackadaisical!

So I remote in to the machine: no unusual network activity, no unusual processes, users, logins, command history, no sign that anything is doing anything I didn't tell it to do.

So what's up? Turns out there's been a widespread campaign where some actor is spoofing IPs to make it look like systems running Tor are scanning port 22: forum.torproject.org/t/tor-rel…

Operators from all over are saying they're getting nastygrams from their VPS providers because WatchDog is fingering their source IPs (which are being spoofed and NOT part of a global portscanning botnet).

@delroth did an amazing writeup of the whole thing here: delroth.net/posts/spoofed-mass…

#tor #infosec #cybersecurity #threatintel #privacy

[tor-relays] Tor relays source IPs spoofed to mass-scan port 22?

It would be hard to explain to Verizon I run Tor relays since they technically don't allow servers. I hope I'm not forced onto AT&T Internet Air as my particular co-op rental unit won't let met get Spectrum even when other units can, not that I wante…

^{Tor Project Forum}

On my blog: One weird trick to get the whole planet to send abuse complaints to your best friend(s)

delroth.net/posts/spoofed-mass…

Summary of my adventures from last evening, as read in this Mastodon thread: mastodon.delroth.net/@delroth/…

#infosec #networking #tor

Pierre Bourdon

2024-10-29 00:50:55

By any chance did anyone recently also get an abuse report from "watchdogcyberdefense.com"?

Hetzner forwarded one to me claiming that my server has been ssh-scanning some random network, but uh, I've looked for a while and can't find any evidence of weirdness (granted, can't easily prove a negative). And that company seems awfully fishy in terms of online presence.

I'm half expecting it to be spam but I can't figure out what their strategy would be. Or incompetence perhaps?

Which still doesn't answer what the fuck is going on, but most likely someone is mass-connecting to port 22 and using source IP addresses from random Tor relays? Maybe?

I can't make any more sense of it, but that sounds like something that maybe I could envision someone doing?

Do I know other people running #tor relays here that could check if they also receive random RSTs from random machines' port 22?