30 Oct
2024
30 Oct
'24
8:45 p.m.
Hi James,
On Wed, Oct 30, 2024 at 05:32:49PM +0000, James R. Haigh (+BitFolk subaddress) via BitFolk
Users wrote:
Okay, yes. But in this case the only link between Tor and SSH is that
some miscreant has apparently decided to harass operators of known Tor
nodes by means of attacking servers known to run SSH. Tor is really
incidental here and the attacker could just as well have decided to
target IP addresses thought to be in Spain, or IP address that are
prime numbers or something.
When the forged traffic hits the TARGET, it has not been anywhere near
the VICTIM yet, so whatever software the VICTIM is running is not
relevant.
When the TARGET sends back a SYN+ACK response to the VICTIM, the
VICTIM's kernel deals with it (either by ignoring it or sending a RST)
before it reaches user space so again Tor is not a factor here.
So what I mean is that it wouldn't matter if VICTIM is a Tor exit node
or relay node or not a Tor node at all, it could even be a networked
coffee machine. It was a human attacker who seems to have chosen to
harass people operating Tor nodes.
At Z+0000=2024-10-30Wed13:43:01, Andy Smith via
BitFolk Users sent:
Since BitFolk has a business relationship with its suppliers, if they
have an issue they will contact us about it and we'll probably iron it
out without BitFolk's customer being involved.
It is when an abuse report comes in from some third party that has no
contractual relationship with BitFolk or the customer concerned that we
would pass this on to the customer to deal with because it will be
boring administrative work. First though we must determine if it's a
genuine report of malicious behaviour, as we wouldn't want to just pass
on an abuse report with the reporter's contact details to the possible
bad actor.
I am really only talking about the cases where it's clear it is some
misunderstanding or at least something to be discussed and negotiated,
and with permission of the reporter.
An non-Tor-related example that springs to mind is when automated scans
of web servers by "good cause" projects find a binary that is a known
piece of malware, so they report it to us as a possibly infected host,
but we happen to know for example that the customer concerned is a
security researcher or penetration tester and the file is there on
purpose. Rather than explain all this on our customer's behalf we would
like to put them in direct contact with each other.
On Wed, Oct 30, 2024 at 12:12:12PM +0000, James
R. Haigh (+BitFolk subaddress) via BitFolk Users wrote:
[...]
In general where we don't think actual abuse is taking place, we expect the customer
to reply to abuse reports involving them. [...]
How does the customer reply to abuse reports from BitFolk's ISP to
BitFolk? Does BitFolk automatically forward such abuse reports to
the customer? Or does BitFolk generate its own abuse reports? I was wondering about the payload of the packets.
Delroth did not
go into that detail, but his article also states at the bottom
that it was written hastily before a plane flight. He may not
have had time to look at the payloads in more detail, like in
WireShark.
In this case there cannot be any payload because a TCP connection can't
exchange any data until the three way handshake is completed to set it
up. All that happens here is:
ATTACKER --SYN packet with source IP of VICTIM--> TARGET
TARGET --SYN+ACK packet back------------------> VICTIM
VICTIM --RST back because sequence number-----> TARGET
didn't match any SYN it had sent
All of these are empty TCP packets with only flags and src/dst IPs in
them.
ATTACKER's real IP address is not known to anyone because they have
forged VICTIM's IP as the source on their packets.
Normally this would probably go totally unnoticed. It's only because
certain sites are hyper sensitive to port 22 SYN packets being received
and think it is an SSH dictionary attack. Really they should wait for
the connection to be established and log the actual login attempt before
assuming that.
Tor is a
proxy. What comes out of it is just normal Internet traffic,
If we are talking about the relay nodes (Delroth specifically
states that these are not also exit nodes), then no normal
Internet traffic is coming out of it at this point. The traffic
is inside an encrypted tunnel, being "onion routed" through 3
relay nodes, iirc.. My understanding is that the servers running Tor
are being sent --
completely unrelatedly on port 22, and from /outside/ of the Tor
tunnels -- TCP packets with a spoofed source IP address,
backscattering to other machines that of course fail to establish
the full handshake, meaning that these connections are instantly
dropped -- but sometimes can trigger anti-abuse honeypots, even
though the abuse did not originate on the server that received the
spoofed TCP packets.
That is correct. It seems that some setups require only to see TCP SYN
packets and consider that an attack. Over-sensitive intrusion detection
systems have been a thing for as long as there have been networks and
ways to report abuse.
So what has it got to do with Tor? Delroth says
not much, beside
maybe a motive to cause disruption to the Tor network -- by means
of attempting to trigger anti-abuse measures against operators of
Tor services such as relays.
As the article mentioned, a lot of people seem to dislike Tor and are
willing to attack it. I suppose a bit like how a lot of people seem to
dislike archive.org and are regularly willing to DDoS it.
It is in some ways a pity that there is a publ;ic directory of all Tor
nodes which makes it easier for people to harass them, but it's an open
decentralised network so these things need ways to find each other. Also
a lot of site operators demand a way to know all Tor exit node IPs so
they can pre-emptively block them.
Probably there are multiple other things like Tor but with more secretive
node directories.
Machines not running Tor are apparently just as
susceptible to
this vulnerability, but simply are not being targetted yet.
Yep. Like with all DDoS.
It still seems odd to me as to why port 22? Why
not any port if
it is just a spoof packet to cause a nuisance? Is it because this
is the port that is most likely to trigger various honeypots?
I think so yes. I cannot really think of any other service where people
are so twitchy about looking at multiple "strange" connections attempts
to it.
You would not even notice if this were port 80/443 for example because
you do expect the world to visit a public web site and the web server
would log nothing as none of those connections ever get established far
enough for user space to see them.
Thanks,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting