[bitfolk] Re: Backscatter attacks on TCP connections (not limited to Tor) triggering abuse honeypots of service providers

Hi James, On Wed, Oct 30, 2024 at 12:12:12PM +0000, James R. Haigh (+BitFolk subaddress) via BitFolk Users wrote: In general where we don't think actual abuse is taking place, we expect the customer to reply to abuse reports involving them. Particularly in the case of Tor nodes these generate a lot of abuse reports although that is mainly for exit nodes and there aren't any of those at BitFolk right now, only relay nodes (internal to Tor so never visible to an end-host outside Tor). SSH dictionary attacks are so common that when someone sees a number of TCP SYN packets to their port 22 they just think it is one of those and report it as such, and the hosting company at the other end would often be inclined to believe it, as initially seen in that article. t> ordinary DDoS attack on some other target. T he honeypots do an important job of detecting this sort of activity but it does seem necessary for them to gather more information than some TCP SYN packets before taking any action. I wouldn't necessarily call it benign as it does imply some forging is going on for some reason. It could indicate a misconfiguration such as two or more devices with the same IP address. Certainly from BitFolk point of view but also I think generally, most kinds of abuse report would need to show some actual content, and that is not possible with spoofed TCP. I think it is only because port scanning and SSH dictionary attacks are so common that a lazy report like that could ever be taken seriously. Tor is a proxy. What comes out of it is just normal Internet traffic, like if it were a SOCKS proxy or a HTTP proxy. When a TCP SYN packet comes in, all you have is the source address as there is no payload yet. The only way to tell that it is a legitimate connection attempt from a non-spoofed source is to complete the TCP three way handshake. Spoofed sources can't complete that. Tor, being a proxy, runs as a user process on some server. User processes should never see these partially set up TCP connections as all that happens is the kernel receives a SYN+ACK packet from the SSH host with a sequence number that does not match any SYN it has sent itself. It knows something strange has happened and sends back a TCP RST packet to destroy the connection before it was ever established. You can't even see this happening unless you run a process with elevated privileges in order to trace it like tcpdump. So no, it should not get as far as the Tor process. Anyway, multiple companies are scanning all 65k ports of the entire IPv4 address apace multiple times a day to look for every service there is and they sell the database of that, so there is no need for anyone to do it through Tor if the goal were purely to identify SSH servers. It may also be worth noting that most Tor exit nodes are configured to not permit TCP port 22 connections out since they just get used for SSH dictionary attacks otherwise. Similarly they don't allow port 25 as they just get used to relay spam. Thanks, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting "It is I, Simon Quinlank. The chief conductor on the bus that is called hobby." — Simon Quinlank