VPS provider (Hetzner) suggesting attacks coming from my machines

I’ve had notifications that Hetzner think my VPS’ are involved in an attack of some kind due to detecting port scans from my machines;

PortscanOutLevel: scansnarf-ng detected Portscan from…

I expect it’s just that the node software is trying to connect to remote nodes, and Hetzner are thinking this is suspicious.

Has anyone else had this issue with Hetzner / other providers, and is there any way I can stop this behaviour, or provide some kind of information to demonstrate to Hetzner that the software isn’t attacking anyone?

I may just say ‘it’s running test P2P network software’ and see if that is sufficient for Hetzner, but any tips on how to manage this issue would be appreciated.

8 Likes

if you look closely to the email they sent you, you can see they listed the suspicious activity (with port numbers from your machine to the ip +port numbers of the scanned machines) which should clearly indicate if it’s your nodes or not (most certainly is) … that list most certainly isn’t even very long compared to a real port-scan (and is nowhere near typical ports for a port-scan or done in a systematic/reasonable way if this should be a port-scan) …

now if you explain to them that you believe this is a false positive on port scanning, because you are participating in a test for a decentralized data and communications network and we did a test where we shut down somewhere around 25% of nodes last night to simulate a larger outage (that’s what probably happened and from around the time you were probably flagged by their system; not sure who asked for this test but it certainly happened and was successful xD ). Since QUIC Traffic uses UDP and not TCP this would explain why the attempt to re-connect no longer existing nodes (and possibly bootstrapping to new nodes since the network structure re-organized) triggered their UDP port-scanning detection …

… the port-scanning theory doesn’t sound plausible when looking at the flagged connections … and you answer would be very plausible … which most certainly will make them no longer worry about this incident …

12 Likes

Fantastic. Thanks for your response, which will make my reply to them more informed :slight_smile:

2 Likes

I’ve seen the same.

They also sent abuse messages to ovh, who then just cancelled my account and deleted my servers.

5 Likes

Not saying you were pushing the envelope too hard, just saying it looks an awful lot as if you were pushing the envelope too hard.

4 Likes

nah they reacted to hetzner sending ovh abuse mails in the middle of the night and me not reacting fast enough for their liking.

And now I’m waiting for a human response from either for hours.

1 Like

I also missed the deadline to respond, but have received some new messages stating:

‘Unfortunately you were mistakenly sent an abuse email. This was caused by an automated detection system. Please ignore the previous email, the abuse case has been closed’

Hopefully they’ll all be treated as false-positives… we’ll see!

5 Likes

I always found Hetzner support to be pretty snappy. Generally I would get an automated reply in seconds and a human within 10-20 mins. But my issues were purely tech or sales not “abuse”.

1 Like

Support is pretty snappy, but in this case I think no one wants to burn their fingers before talking to the nightshift to find out who uploaded the new siem rules without proper testing :smiley:

I can’t access my dedicated server. Robot says it’s running and had no warning emails :weary:

1 Like

Not even with the Rescue tab in your Hetzner Dashboard?

I don’t have any more dedicated servers so Im working from memory otherwise I’d send screenshots.
But it worked well enough for me when I forgot the initial clever-as-eff password I created at setup :slight_smile:

2 Likes

It’s saying the ip of the server is currently locked??

1 Like

Have you tried requesting a chat or phone session with support?
Again I found them easy to deal with and in faultless English.
Which datacentre is your box in?

2 Likes

Actually I do have an email :weary:

Helsinki it is

1 Like

Do what @riddim says.
If that doesn’t work, ask @toivo nicely to swear at them in Finnish.

5 Likes

I have a dedicated server and 2x VPS through hetzner, and have been running nodes on them full time since we all started this process. I haven’t gotten any letters about scans. They’ve been pretty easy to work with though when I’ve had other issues and support is generally nice.

3 Likes

I believe Finnish swearing is on a different level as well :slight_smile:

3 Likes

can you check your spam folders ?

I don’t think so. I think that when it comes to swearing, all cultures are about at the same level. We Finns are different in how little below that level we appear to be in our everyday basic lack of politeness.

It’s always a shock to return from abroad, where, when you have been at the same space with others, you have been treated like you actually existed. Here it’s a game of delaying that basic recognition of another human being’s humaness as long as possible.

2 Likes

nothing there either. I did the unlock process and typed what riddim suggested and am back online now

3 Likes