<div dir="ltr"><div><div><div><div><div><div>I think you misinterpreted what I was saying or I didn't explain it well enough. Tor utilizing 100% CPU usage is only normal if you are pushing a LOT of bits. In this case, you probably have a system misconfiguration somewhere (nothing to do with Tor's configuration, torrc).<br><br></div>>"Nor, the adresses of the inbound traffic were from different adresses."<br></div>Yes, that's expected. You're getting connections from the Tor network. <br></div>>"I thought that it was not possible to force traffic through a specific predefined route in Tor"<br></div>It isn't possible. I believe I said so, or implied it. The only way to do this would be through an attack on the Tor network in general. <br><br>>"Is it possible to flood the tor port directly with for example syn floods?"<br></div>Through the Tor network, no, that's impossible. TCP relies on a 3-way-handshake which means that every connection between relays will have to be complete; therefore, in order to connect to your relay, a complete connection will have to be made. I hope this makes sense, if not, I can elaborate a bit more. <br><br>However, if someone has a hold of your IP, they can run a portscanner and then determine your relay port (which is on the internet for all to see.) Therefore, you can be attacked, but not through the Tor network. <br><br>>"If yes; is there an iptables rule which will reduce the amount of connection kept in the syn state?"<br></div><div>First of all, no. And second, that's not how you deal with a SYN flood. If that rule was implemented, it would just be easier to take your port offline.<br></div><div><br><br>I highly doubt you are under attack. Almost certainly a misconfiguration of some sort. Have you tried the recommendations that others have given relating to your file descriptors?<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Dec 4, 2014 at 1:40 AM, <span dir="ltr"><<a href="mailto:webmaster@defcon-cc.dyndns.org" target="_blank">webmaster@defcon-cc.dyndns.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ok,<br>
<br>
i will reject this as a normal behavior of tor. My flags are actually:<br>
<br>
HSDir, Running, V2Dir, Valid<br>
<br>
To point 2.: Nor, the adresses of the inbound traffic were from different<br>
adresses.<br>
I thought that it is not possible to force the traffic through a defined<br>
route because form<br>
my knowledge the route is build by the network. Sometimes I'm using my Tor<br>
Server as a Proxy for my local http traffic. I think this is the only case<br>
where i can force my route to use my server as a entry node.<br>
<br>
Is it possible to flood the tor port directly with for example syn floods?<br>
<br>
If yes; is there an iptables rule which will reduce the amount of<br>
connection kept in the syn state?<br>
<br>
My Tor Info:<br>
<a href="https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF520" target="_blank">https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF520</a><br>
<br>
Thanks for the reply<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
> Hey bud,<br>
> Your adsl connection has a low advertised bandwidth, and doesn't make many<br>
> connections with regards to tor; thus, the CPU usage is correct. Look up<br>
> your server's fingerprint or nickname on Tor Globe to see how much of the<br>
> tor network travels through your server.<br>
> CPU load is usually associated with a lot of bandwidth or a inefficiency<br>
> in the server. I've heard that a 100mbit tor server using full 12.5MB/s<br>
> up/down will saturate the core dedicated to the Tor process; this is<br>
> presumably why a lot of servers run multiple Tor instances on different<br>
> cores and IP addresses. However, in your case, it is likely<br>
> The large amount of connections is generally caused by a few things:<br>
> 1. You've been running a very stable server for a long period of time and<br>
> have sufficient bandwidth to provide connectivity for a large number of<br>
> clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will<br>
> likely result in more connections. This is not likely with your server,<br>
> given your advertised bandwidth is only 68.44kb/s.<br>
> 2. A single client is using your server for a lot of connections.<br>
> 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know<br>
> if any have been documented.)<br>
> 4. An attack against your server. This is very hard to do through the Tor<br>
> network; an attack against a Tor relay using Tor is an attack against all<br>
> Tor relays. HOWEVER, they could be attacking your port which you use to<br>
> host your tor server.<br>
> Just for reference, here's my tor stats:<br>
> Advertised B/W: ~4MB/s<br>
> Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1<br>
> control)<br>
> Tor is averaging 9%-13% CPU usage; 198MB memory.<br>
> More info on my server:<br>
> <a href="https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B" target="_blank">https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B</a><br>
> <a href="https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B" target="_blank">https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B</a><br>
> I hope this answered your question, if not, send a reply and hopefully<br>
> I'll reply sometime.<br>
<br>
<br>
</div></div><div class="HOEnZb"><div class="h5">_______________________________________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
</div></div></blockquote></div><br></div>