My guess is that a certain router is getting infected with a botnet because ISPs usually hand out the same router to their customers. And ISPs are usually limited to a single country.
That would be an explanation and probably by okhams razor be more likely. But wouldn't that ISP notice the difference in traffic patterns drastically and react? It is just unlikely (but far from impossible) that this is something 'normal' happening.
My fear would be that someone still is trying to gather a critical mass of nodes to contact controll servers via TOR to cause mass havoc in a single country from within a single country. Generally IMHO Germany would be a good target for destabilisation currently. But I think and hope this could just a bit of overinterpreting. Probably one would need a good statistic on the subnets the users come from.
I can't speak to German ISPs or anyone outside of these USA. But I believe that ISPs are absolutely the weakest link when it comes to malicious botnets and other types of widespread network-based compromises.
ISPs certainly have the tooling and the positioning to be able to detect C&C channels, outgoing DDOS attacks, and compromised customer premises equipment. But do they? And if they do detect any of it, do they take action? When is the last time you heard about an ISP disconnecting a paying customer because of the customer's compromised device(s)? When is the last time you even heard of an ISP notifying a customer about such a thing?
Two months ago, my router was compromised and joined to some sort of botnet in the capacity of a DNS resolver. I would never have been able to detect such WAN-side traffic if I hadn't had a special setup on my part. My ISP was the first to hear when I'd detected it, and I sincerely doubt that they receive many such reports, especially with logs as evidence.
Can you imagine receiving a phone call, "Hello, this is your ISP! You're pwned! Please follow through these remediation steps as I prompt you: ..." You'd undoubtedly think it was a phishing scam. Because ISPs just don't seem to care about abuse.
They will send you copyright strikes and prosecute you for BitTorrent, but it does't seem like they'd lift a finger to prevent the next big DDOS or spam factory originating from their own customers.
My parents home lan got caught up in a bot net and their isp was sending emails about it to their isp provided email address.
But it's possible they were just passing on abuse reports from the numerous targeted victims of this botnet who bothered to complain.
The intrusion point was a Linux system with a 3 letter password and ssh exposed on a nonstandard port. So if you're someone who still thinks the bad guys won't find your computer because you changed the port, know that that is very outdated thinking.
I don't even know how to log in to my ISP provided email., so it goes without saying that I'm not reading it. I'm surpised that ISPs still offer email.
In Germany, I doubt they have the tooling or staff anymore. For almost a decade we've been in a race to the bottom regarding pricing and as a result, service quality. I wouldn't be surprised if critical parts of the infrastructure are maintained by outsourced jobs from half around the world.
The only somewhat professional player is the Deutsche Telekom, which was kinda the Bell of Germany and got privatized in the 90s, when the phone network was also opened to other players. They are more expensive though. Other than that, you might be lucky and have some small regional ISP that's competent enough. Otherwise there are just two other companies left that offer service nationwide, after a lot of mergers.
My ISP actually sent me an email that said that one of my devices have an open TCP 445 port and advised me to fix it. Apparently Windows opens it by default and it can be exploited by some malware.
But I've never received a threatening letter about piracy. ISPs in my country simply don't send those.
My ISP will send letters or emails, but only if they get a complaint from the company in question. Usually what ends up happening is a company watches a torrent, and takes down a list of all the ip addresses downloading it. They then send boilerplate complaints to the isps associated with said ip addresses, who are legally required to do something about it. My little brother got in trouble this way lmao, they sent a letter to our house about it.
Many ISPs have clauses in their TOS that prohibit running any server of any kind. So it may be the case that your ISP regularly runs sweeps to detect customers who are running servers, and this warning may be a side effect of that sweep.
I often used to poke holes in my firewall and run VPN or ssh servers that were discoverable using my dynamic DNS service. My ISP never got involved with that. Of course, that was a case of me running a server for my exclusive use, rather than some sort of public web or login server that would have randos sending traffic across my link.
> That would be an explanation and probably by okhams razor be more likely. But wouldn't that ISP notice the difference in traffic patterns drastically and react?
I hope to be wrong but I am afraid you are overestimating the technical competency of the average ISP.
> My guess is that a certain router is getting infected with a botnet because ISPs usually hand out the same router to their customers.
This seems trivial to figure out with an analysis of the connecting IPs - which is absent on TOR's report page.
I'm also a bit confused why no one here on HN has asked about the connecting IP data (at this writing). Are these commercial IPs, dynamic (biz/residential) IPs or a mix? If they're mostly dynamic IPs, are they from more than one ISP?
TOR has country of origin data so it seems reasonable they'd also have network of origin.
All that said, I don't precisely know how TOR determines country of origin. Entry node data would seem to be the likely source. However I've long assumed that entry nodes are public supplied, like Relay and Exit nodes. Within that assumption it isn't clear to me how that data would flow to TOR - while maintaining anonymization of traffic.
My fear would be that someone still is trying to gather a critical mass of nodes to contact controll servers via TOR to cause mass havoc in a single country from within a single country. Generally IMHO Germany would be a good target for destabilisation currently. But I think and hope this could just a bit of overinterpreting. Probably one would need a good statistic on the subnets the users come from.