31 October 2024
In the last few days, many Tor relay operators - mainly hosting relay nodes on providers like Hetzner - began receiving abuse notices.
All the abuses reported many failed SSH login attempts - part of a brute force attack - coming from their Tor relays.
Tor relays normally only transport traffic between a guard and an exit node of the Tor network, and per-se should not perform any SSH connections to internet-facing hosts, let alone performing SSH brute force attacks.
After a first analysis by delroth, it was discovered that the majority of the Tor relay were not performing any SSH traffic at all.
Instead, a malicious actor began spoofing Tor relays’ IP addresses while performing a large scale SSH brute force attack, specifically targeting honeypots, and networks with intrusion detection systems that send (sometimes automated) abuse complaints.
In this way, the target host will receive SSH login attempts from the relay’s IP address instead of the actor’s real IP address.
Internet hosts making a high number of failed SSH login attempts are quickly added to blocklist, receive a lot of abuse notices, and their IP address will quickly get a “bad reputation”.
For this reasons providers usually take down hosts after a minor number of abuse notices, most of the time without any appeal.
It is no news that many actors don’t like Tor.
This censorship attack directly undermines the Tor relay infrastructure health, by explicitly forcing abuse complaints to Tor relay operators.
At the moment of writing, the scale of the attack is still moderate and the actor is still unknown.
As for the solution, the best you can do as a relay operator against the flood of abuses complaints is to try to appeal, and run more nodes to replenish the ones that will be taken down.
If you are a provider, before sending bogus abuse complaints verify that the information is actually true and there are enoguh proofs to back it up, leaving a chance for the users to appeal.