The attacker is spoofing the IPs of Tor Exit and Directory nodes, and blasting TCP SYN packets indiscriminately on 22/TCP- spurring a large amount of abuse complaints to hosting providers, which are then temp blocking/banning Tor infrastructure which isn’t actually doing anything wrong. For the time being, I recommend all hosting providers ignore abuse complaints that indicate “SSH scanning” or “port scanning on 22/TCP” and originate from any of the following IPs: pastebin.com/idKU0agt This is a clever attack. I’m working with partners to triangulate the true origin of this traffic then try to get it disconnected. Weird attacker website here: r00t.monster Related links:
I was affected by this, and my conclusion is that there ought to be some sort of license required for a “cybersecurity” company to send these automated abuse emails to hosting providers in the first place.
One company, after I explained to them the situation and what IP spoofing was, linked me to the VirusTotal page for my IP address as proof that my host was actually infected with malware, and demanded I firewall traffic to their network even though my network wasn’t involved in the first place
