[tor-relays] Recent wave of abuse on Tor guards
Stijn Jonker
sjcjonker at sjc.nl
Fri Dec 22 16:37:50 UTC 2017
All,
Just adding 0.02c; from the hosts going above 24 connections (my FW
limit), the ASN's involved seem to focus on:
5 LEASEWEB-USA-WDC-01 - Leaseweb USA, Inc., US
18 OVH, FR
25 LEASEWEB-NL-AMS-01 Netherlands, NL
That's 48 from the 72 IP's exhibiting this behaviour. Whereby the
leaseweb ones are consecutive IP's.
Careful not to share IP's here :-)
All seen from the perspective of SJC01 /
328E54981C6DDD7D89B89E418724A4A7881E3192
Stijn
On 22 Dec 2017, at 16:49, Pascal Terjan wrote:
> I got also 17 from ovh (under ip-54-36-51.eu) and plenty of
> leaseweb.com (didn't count) too but no your-server.de
>
> The OVH ones were interestingly 2 (nearby) consecutive blocks of 4 and
> 13 IPs (and are not relays)
>
>
> On 22 December 2017 at 15:23, Tyler Johnson <tylrcjhnsn at gmail.com>
> wrote:
>> Every IP I was checking through Atlas which are part of the mentioned
>> hosts
>> were NOT relays, all client connections.
>>
>> On Dec 22, 2017 9:20 AM, "niftybunny" <abuse at to-surf-and-protect.net>
>> wrote:
>>>
>>> Thats “only” “relays” with multiple connections to your
>>> relay?
>>> Interesting to see Hetzner there …
>>>
>>> Markus
>>>
>>>
>>> On 22. Dec 2017, at 16:14, Tyler Johnson <tylrcjhnsn at gmail.com>
>>> wrote:
>>>
>>> Out off 133 IPs blocked with my rather aggressive firewall ruleset:
>>>
>>> leaseweb.com - 26
>>> your-server.de - 66
>>> ip-54-36-51.eu - 17
>>>
>>> That was in < 24hrs.
>>>
>>> On Dec 22, 2017 3:38 AM, "niftybunny"
>>> <abuse at to-surf-and-protect.net>
>>> wrote:
>>>>
>>>> Short answer:
>>>>
>>>> https://i.imgur.com/8QLptcz.png
>>>>
>>>> Around 15000 - 18000 connections I can see with netstat. Even my
>>>> 300 mbit
>>>> exit has less and there a a lot of Leaseweb clients connecting to
>>>> me ...
>>>> The interesting thing is, it comes and goes in waves. From 6000
>>>> (normal)
>>>> to 20000 connections within an hour.
>>>> Someone doesn't like me very much :(
>>>>
>>>> Markus
>>>>
>>>>
>>>>
>>>> On 22. Dec 2017, at 08:42, Felix <zwiebel at quantentunnel.de> wrote:
>>>>
>>>> Am 22-Dec-17 um 08:25 schrieb niftybunny:
>>>>
>>>> Still under heavy attack even with the MaxMemInQueues and
>>>> 0.3.2.8-rc. I
>>>> need 2 xeons to push 30 mbit as a guard/middle …
>>>>
>>>>
>>>> Do you want to share some information:
>>>>
>>>> Type i)
>>>> (memory exhaustion by too many circuits)
>>>> What is the memory(top) per tor and its MaxMemInQueues ?
>>>> How many circuits per hour in log ?
>>>>
>>>> Type ii)
>>>> (cpu exhaustion by too many 'half open' tor connections)
>>>> Is your number of open files normal (fw in place) and moderate
>>>> connection counts per remote IP ?
>>>>
>>>> Type iii)
>>>> (One fills your server with too many long fat pipes, first ACK and
>>>> RTT)
>>>> If on Freebsd, is "mbuf clusters in use" (netstat -m) moderate ?
>>>> Do you get "kern.ipc.nmbclusters limit reached" in messages ?
>>>>
>>>> --
>>>> Cheers, Felix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171222/af828765/attachment.html>
More information about the tor-relays
mailing list