[tor-relays] Exit relays abused to attack Google services

Google is now sending abuse reports complaining of DDoS attacks against
their services. While they believe the IPs are participating in a
botnet, it is clear that they are Tor exit relays.

I don't know why they are sending us the report after the attacks have
ended. Besides, since Google services are unusable over Tor, this
should not have caused them much damage.

I suspect the attacker is trying to get relays shut down by triggering
Google reports that would scare off the ISPs.

If you are an ISP and you have received the same report, please let me
know. I'd like to know if this was global or if we've been "selected".

···

From: ddos-reports@google.com
To: abuse@urdn.com.ua
Subject: [#zMto] DDoS from your IPs to Google from 2022-01-28 to
2022-01-31
Date: Tue, 01 Feb 2022 20:22:42 +0000

We observed IPs under your control participating in DDoS attacks
targeting Google services, including a prolonged DDoS attack from
January 28-31 against the Google Search Console.

The attacks were Layer 7 / HTTP request floods. Your participating
IPs are listed below, along with the stop time in UTC and targeted
Google IPs. We request that you enforce your Acceptable Use Policy
against these customers.

+-----------------+-----------------+----------+---------------------+
> Source | Destination | DestPort | Time_UTC |
+-----------------+-----------------+----------+---------------------+
> 193.218.118.62 | 142.250.180.227 | 443 | 2022-01-31 15:55:01 |
> 193.218.118.90 | 142.250.180.195 | 443 | 2022-01-31 15:53:28 |
> 193.218.118.100 | 172.217.19.99 | 443 | 2022-01-31 14:43:09 |
> 193.218.118.101 | 142.250.180.227 | 443 | 2022-01-31 17:32:54 |
> 193.218.118.125 | 142.250.180.227 | 443 | 2022-01-31 15:55:28 |
> 193.218.118.145 | 142.250.180.195 | 443 | 2022-01-31 15:55:30 |
> 193.218.118.147 | 142.251.39.35 | 443 | 2022-01-31 15:41:36 |
> 193.218.118.155 | 142.250.180.195 | 443 | 2022-01-31 13:45:43 |
> 193.218.118.156 | 142.250.180.227 | 443 | 2022-01-31 15:57:52 |
> 193.218.118.158 | 142.250.180.227 | 443 | 2022-01-31 18:41:34 |
> 193.218.118.167 | 142.250.201.195 | 443 | 2022-01-31 15:56:53 |
> 193.218.118.182 | 142.251.39.3 | 443 | 2022-01-31 17:31:57 |
> 193.218.118.183 | 142.250.180.227 | 443 | 2022-01-31 17:42:40 |
> 193.218.118.231 | 142.250.180.227 | 443 | 2022-01-31 17:43:08 |
+-----------------+-----------------+----------+---------------------+

Note we believe some of these IPs are part of the Meris or Dvinis
botnets. If you are a residential Internet service provider, it is
possible that your customers' routers themselves have been
compromised. You should research the Meris botnet and take
appropriate actions to have them secure their CPE (customer-premises
equipment).

--
Security Reliability Engineering :: Google :: AS15169

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

2 Likes

Google is now sending abuse reports complaining of DDoS attacks against
their services. While they believe the IPs are participating in a
botnet, it is clear that they are Tor exit relays.

I don't know why they are sending us the report after the attacks have
ended. Besides, since Google services are unusable over Tor, this
should not have caused them much damage.

I suspect the attacker is trying to get relays shut down by triggering
Google reports that would scare off the ISPs.

If you are an ISP and you have received the same report, please let me
know. I'd like to know if this was global or if we've been "selected".

We received 2 DDoS reports in Oct 2021 and 3 automated scraping notices in Nov and Dec 2021.

We are seeing automated scraping of Google Web Search from a large
number of your IPs/VMs. Automated scraping violates our /robots.txt
file and also our Terms of Service. We request that you enforce your
Acceptable Use Policy against these customers.

Best
kantorkel, Artikel10

···

Am 2/2/22 um 01:19 schrieb UDN Tor via tor-relays:

From: ddos-reports@google.com
To: abuse@urdn.com.ua
Subject: [#zMto] DDoS from your IPs to Google from 2022-01-28 to
2022-01-31
Date: Tue, 01 Feb 2022 20:22:42 +0000

We observed IPs under your control participating in DDoS attacks
targeting Google services, including a prolonged DDoS attack from
January 28-31 against the Google Search Console.

The attacks were Layer 7 / HTTP request floods. Your participating
IPs are listed below, along with the stop time in UTC and targeted
Google IPs. We request that you enforce your Acceptable Use Policy
against these customers.

+-----------------+-----------------+----------+---------------------+
> Source | Destination | DestPort | Time_UTC |
+-----------------+-----------------+----------+---------------------+
> 193.218.118.62 | 142.250.180.227 | 443 | 2022-01-31 15:55:01 |
> 193.218.118.90 | 142.250.180.195 | 443 | 2022-01-31 15:53:28 |
> 193.218.118.100 | 172.217.19.99 | 443 | 2022-01-31 14:43:09 |
> 193.218.118.101 | 142.250.180.227 | 443 | 2022-01-31 17:32:54 |
> 193.218.118.125 | 142.250.180.227 | 443 | 2022-01-31 15:55:28 |
> 193.218.118.145 | 142.250.180.195 | 443 | 2022-01-31 15:55:30 |
> 193.218.118.147 | 142.251.39.35 | 443 | 2022-01-31 15:41:36 |
> 193.218.118.155 | 142.250.180.195 | 443 | 2022-01-31 13:45:43 |
> 193.218.118.156 | 142.250.180.227 | 443 | 2022-01-31 15:57:52 |
> 193.218.118.158 | 142.250.180.227 | 443 | 2022-01-31 18:41:34 |
> 193.218.118.167 | 142.250.201.195 | 443 | 2022-01-31 15:56:53 |
> 193.218.118.182 | 142.251.39.3 | 443 | 2022-01-31 17:31:57 |
> 193.218.118.183 | 142.250.180.227 | 443 | 2022-01-31 17:42:40 |
> 193.218.118.231 | 142.250.180.227 | 443 | 2022-01-31 17:43:08 |
+-----------------+-----------------+----------+---------------------+

Note we believe some of these IPs are part of the Meris or Dvinis
botnets. If you are a residential Internet service provider, it is
possible that your customers' routers themselves have been
compromised. You should research the Meris botnet and take
appropriate actions to have them secure their CPE (customer-premises
equipment).

--
Security Reliability Engineering :: Google :: AS15169

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like

Yo, I have some from google.com too.
Sometimes the IP's of artikel10, relayon and me are together in the abuse log.
All normal automated abuse stuff. On relpy's no one answered.

···

On Wednesday, February 2, 2022 1:19:36 AM CET UDN Tor via tor-relays wrote:

Google is now sending abuse reports complaining of DDoS attacks against
their services. While they believe the IPs are participating in a
botnet, it is clear that they are Tor exit relays.

I don't know why they are sending us the report after the attacks have
ended. Besides, since Google services are unusable over Tor, this
should not have caused them much damage.

I suspect the attacker is trying to get relays shut down by triggering
Google reports that would scare off the ISPs.

If you are an ISP and you have received the same report, please let me
know. I'd like to know if this was global or if we've been "selected".

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

1 Like

This is probably the main reason those reports are being sent.
Meris is a huge botnet using (at least) tens of thousands of compromised routers.
https://www.bleepingcomputer.com/news/security/new-m-ris-botnet-breaks-ddos-record-with-218-million-rps-attack/

Those notices were probably sent automatically to many ISPs hoping some of them would get their customers to fix their routers, and tor exits were probably just not filtered.

···

On Wed, 2 Feb 2022 at 11:05, UDN Tor via tor-relays <tor-relays@lists.torproject.org> wrote:

Note we believe some of these IPs are part of the Meris or Dvinis
botnets. If you are a residential Internet service provider, it is
possible that your customers’ routers themselves have been
compromised. You should research the Meris botnet and take
appropriate actions to have them secure their CPE (customer-premises
equipment).