Wild ass day in the Tor node operator world. Got an email from my VPS, forwarding a complaint from WatchDog CyberSecurity saying that my box was scanning SSH ports!
Oh no, oh no, I knew I should have set up fail2ban, oh god why was I so lackadaisical!
So I remote in to the machine: no unusual network activity, no unusual processes, users, logins, command history, no sign that anything is doing anything I didn't tell it to do.
So what's up? Turns out there's been a widespread campaign where some actor is spoofing IPs to make it look like systems running Tor are scanning port 22: https://forum.torproject.org/t/tor-relays-tor-relays-source-ips-spoofed-to-mass-scan-port-22/15498/14
Operators from all over are saying they're getting nastygrams from their VPS providers because WatchDog is fingering their source IPs (which are being spoofed and NOT part of a global portscanning botnet).
@delroth did an amazing writeup of the whole thing here: https://delroth.net/posts/spoofed-mass-scan-abuse/
[#]tor #infosec #cybersecurity #threatintel #privacy
=> More informations about this toot | More toots from ceresbzns@infosec.exchange
@ceresbzns @delroth
Ha, I always wondered how people accomplish source IP spoofing so that packets can reach their destination.
Interesting read; thanks for sharing.
Where I read more about bcp38 http://www.bcp38.info/index.php/Main_Page
=> More informations about this toot | More toots from INIT6@infosec.exchange
@ceresbzns @delroth great write up Del! I even understood it!
=> More informations about this toot | More toots from arichtman@eigenmagic.net
@ceresbzns @delroth
this sounds nasty as hell.
=> More informations about this toot | More toots from rwg@aoir.social This content has been proxied by September (3851b).Proxy Information
text/gemini