<div dir="auto"><div><br><div class="gmail_extra"><br><div class="gmail_quote">On 28 Jul 2017 6:59 am, "Roger Dingledine" <<a href="mailto:arma@mit.edu">arma@mit.edu</a>> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="quoted-text">On Thu, Jul 27, 2017 at 08:48:35PM +0300, Vort wrote:<br>
> > This sort of thing has been going on for many years. I used to refer<br>
> > to it as "mobbing". As nearly as I was ever able to determine, the behavior<br>
> > is an unintended consequence of hidden services.<br>
><br>
> Same thing started to happen today and I have noticed that 100% CPU<br>
> usage spikes happens every hour and lasts for several minutes.<br>
> During this spikes, all cores of CPU are used and stack trace points<br>
> somewhere at worker_thread_main() function.<br>
> Also today relay have more connections than usually (5500 vs 2000-3000).<br>
> Is this pattern matches the characteristics of hidden services work?<br>
<br>
</div>Yes. Your relay is getting way more circuit create attempts than it<br>
usually does, and all your signs point to the "HSDir hotspot"<br>
phenomenon.<br>
<br>
Each onion service has six relays each day that serve as the place for<br>
fetching its onion descriptor, and some onion services are super popular<br>
(for example, back in the day, the August 2013 botnet used an onion<br>
service for coordinating its millions of bots).<br>
<br>
Tor isn't great at parallelizing all of its crypto, but it is good at<br>
parallelizing the circuit handshakes, which would be why all of your<br>
cores are being used.<br></blockquote></div></div></div><div dir="auto"><br></div><div dir="auto">Thanks, that's useful information.</div><div dir="auto">Most of my relays have several cores and only use one, the one where I saw the problem was a 1 core VPS.</div><div dir="auto">So a way to handle this problem better for me would be to upgrade my single core relays.</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
And clients building paths to your relay will use a variety of middle<br>
hops, meaning more relays than usual will have made a direct connection<br>
to your relay lately.<br>
<br>
If there's one super popular onion service, then 6/3719 = ~0.16% of the<br>
relays will feel the pain on any given day. More than one super popular<br>
onion service would make that number go up.<br>
<br>
One fix would be to raise the bar for getting the HSDir flag, so relays<br>
with the flag are better able to handle the phenomenon. But shrinking the<br>
total number of HSDir relays can make other attacks easier. Another fix<br>
would be to spread the load for each onion service, or maybe for popular<br>
onion services, over more than six relays. But that would open up more<br>
surface area for attacks to e.g. measure popularity of an onion service.<br>
I think there is not an easy fix.<br>
<font color="#888888"><br>
--Roger<br>
</font><div class="elided-text"><br>
______________________________<wbr>_________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.<wbr>org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/<wbr>cgi-bin/mailman/listinfo/tor-<wbr>relays</a><br>
</div></blockquote></div><br></div></div></div>