date:20130328

[tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)

2013-03-28 Thread Kent Backman

Up front, I am not a conspiracy theorist.

New to the list, I run a Tor exit node from my small cable modem connection
in Honolulu, as well as for a short time on a few on VPS's to prove to
myself that it wasn't just me.

Over the last several weeks, I have collected substantial evidence
indicating that a botnet is degrading the Tor anonymity network in its
entirety via a sustained denial of service attack. I believe it is made to
blend in with all the other crazy packets that an exit node generates, but
it is pretty easy to spot if you just look at the RST's or drops coming off
your node, all from a static unused destination port.  If you change the IP
address of your node, it will take about 90 minutes before they identify
your IP and you start getting attacked again.  I will submit to you the
headers of a few hundred packets, and the full list of perps involved in
separate emails because of the size thing.   Do a whois lookup on a few of
those VPS IP addresses and you will see the country involved.  

Here are the last few hundred packet headers showing the two bigger ISP's.
Wasn't able to show perp list since first two messages held for the
moderator because of the size.

Wondering what other folks are seeing with their relays.


UTC DATEUTC TIMEIP  SRC-ISP SPT DST DST-ISP DPT
Flags
2013-03-28  7:33:38 173.208.95.126  Nobis Technology Group, LLC 2571
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:39 173.208.95.126  Nobis Technology Group, LLC 2571
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:39 74.63.192.36Limestone Networks  1274
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:39 108.177.168.156 Nobis Technology Group, LLC 3471
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:39 173.208.95.126  Nobis Technology Group, LLC 2571
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:39 23.19.67.28 Nobis Technology Group, LLC 3866
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:40 74.63.192.36Limestone Networks  1274
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:40 108.177.168.156 Nobis Technology Group, LLC 3471
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:40 74.63.192.36Limestone Networks  1598
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:40 23.19.67.28 Nobis Technology Group, LLC 3866
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:40 108.177.168.156 Nobis Technology Group, LLC 3471
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:40 74.63.192.36Limestone Networks  1274
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:41 74.63.192.36Limestone Networks  1598
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:41 23.19.67.28 Nobis Technology Group, LLC 3866
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:41 74.63.192.36Limestone Networks  1598
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:44 173.208.44.42   Nobis Technology Group, LLC 1358
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:45 173.208.44.42   Nobis Technology Group, LLC 1358
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:45 64.120.60.121   Nobis Technology Group, LLC 4001
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:45 69.147.233.52   Nobis Technology Group, LLC 2291
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:45 173.208.44.42   Nobis Technology Group, LLC 1358
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:45 64.120.60.121   Nobis Technology Group, LLC 4001
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:46 69.147.233.52   Nobis Technology Group, LLC 2291
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:46 64.120.60.121   Nobis Technology Group, LLC 4001
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:46 69.147.233.52   Nobis Technology Group, LLC 2291
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:47 64.120.60.139   Nobis Technology Group, LLC 2078
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:47 23.19.54.243Nobis Technology Group, LLC 1281
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:48 64.120.60.139   Nobis Technology Group, LLC 2078
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:48 23.19.54.243Nobis Technology Group, LLC 1281
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:48 64.120.60.139   Nobis Technology Group, LLC 2078
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:48 23.19.54.243Nobis Technology Group, LLC 1281
66.8.214.196Road Runner 8118[S],
2013-03-28  7:33:48 64.120.60.106   Nobis

Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)

2013-03-28 Thread Moritz Bartl

On 28.03.2013 11:13, Kent Backman wrote:
 Over the last several weeks, I have collected substantial evidence
 indicating that a botnet is degrading the Tor anonymity network in its
 entirety via a sustained denial of service attack.

I don't have much time right at the moment (sorry), and I don't outright
reject your observations. Maybe you are interested in our exit relay
statistics (cpu/memory/etc). We have US exits as well (axigy1/axigy2).
If there was something out of the ordinary happening to these servers, I
am sure the ISP would have told me (we are in daily contact via Instant
Messenger).

https://www.torservers.net/munin/

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)

2013-03-28 Thread grarpamp

 New to the list, I run a Tor exit node from my small cable modem connection
 in Honolulu, as well as for a short time on a few on VPS's to prove to

 Over the last several weeks, I have collected substantial evidence
 indicating that a botnet is degrading the Tor anonymity network in its
 entirety via a sustained denial of service attack. I believe it is made to
 blend in with all the other crazy packets that an exit node generates, but
 it is pretty easy to spot if you just look at the RST's or drops coming off
 your node, all from a static unused destination port.  If you change the IP
 address of your node, it will take about 90 minutes before they identify
 your IP and you start getting attacked again.
 Do a whois lookup on a few of
 those VPS IP addresses and you will see the country involved.

 Wondering what other folks are seeing with their relays.

 UTC DATEUTC TIMEIP  SRC-ISP SPT DST DST-ISP DPT
 Flags
 2013-03-28  7:33:38 173.208.95.126  Nobis Technology Group, LLC 2571
 66.8.214.196Road Runner 8118[S]

I believe 8118 is polipo/privoxy gateway and that you are simple seeing
usual internet 'bot' scans for that proxy and box is returning normal closed
reset to syns.

You may collate this flow data by ip and report the unwanted traffic to the
arin netblock and ptr domain contacts. Or ignore it as waste of time if
packet rate is acceptable loss to internet noise.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)

Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)

Re: [tor-relays] Ongoing denial of service attack against Tor relays by leased botnet in America and PRC (Nobistech, Datashack, Limestone, HE, Pegtech, WholeSale Interent, and Psychz VPS nodes, etc)

3 matches

Site Navigation

Mail list logo

Footer information