Man
Professional
- Messages
- 3,222
- Reaction score
- 810
- Points
- 113
In recent days, Tor relay operators have begun to receive abuse notifications en masse. The notifications concern failed SSH login attempts caused by alleged attacks from their nodes, which indicates brute-force attacks.
Usually, Tor relays only transmit traffic between the source and destination nodes of the Tor network and should not initiate SSH connections to public hosts on the Internet, especially with brute-force attacks. However, analysis from a researcher under the pseudonym "delroth" showed that most Tor relays did not generate SSH traffic.
It turned out that attackers spoof IP addresses of Tor relays, carrying out a large-scale brute-force attack on honeypots and networks with intrusion detection systems that automatically send complaints about suspicious activity, resulting in false abuse notifications to Tor relays.
As a result, hosts that receive multiple failed login attempts are blacklisted, receive multiple abuse notifications, and their IP addresses gain a "bad reputation". This leads to many ISPs disabling such hosts, sometimes without the possibility of appeal.
The attacks aim to undermine the infrastructure of Tor relays, creating a flood of abuse complaints. At the moment, the malicious activity is moderate, and the attackers remain unknown.
While Tor relay operators are encouraged to appeal and deploy additional relays to replace lost ones, ISPs are being asked to check complaints more carefully to avoid false blocks.
Source
Usually, Tor relays only transmit traffic between the source and destination nodes of the Tor network and should not initiate SSH connections to public hosts on the Internet, especially with brute-force attacks. However, analysis from a researcher under the pseudonym "delroth" showed that most Tor relays did not generate SSH traffic.
It turned out that attackers spoof IP addresses of Tor relays, carrying out a large-scale brute-force attack on honeypots and networks with intrusion detection systems that automatically send complaints about suspicious activity, resulting in false abuse notifications to Tor relays.
As a result, hosts that receive multiple failed login attempts are blacklisted, receive multiple abuse notifications, and their IP addresses gain a "bad reputation". This leads to many ISPs disabling such hosts, sometimes without the possibility of appeal.
The attacks aim to undermine the infrastructure of Tor relays, creating a flood of abuse complaints. At the moment, the malicious activity is moderate, and the attackers remain unknown.
While Tor relay operators are encouraged to appeal and deploy additional relays to replace lost ones, ISPs are being asked to check complaints more carefully to avoid false blocks.
Source
