<div dir="ltr">Hi<div><br></div><div>I've implemented following mitigations:</div><div>* limit memory in queues. For my system that's a safe yet large enough setting (2gb system mem, current usage around 320mb).</div><div> MaxMemInQueues 768 MB</div><div><br></div><div>* connlimit: both count & rate. Although, based on observations, only the rate limit is actually being hit, and then only for the reported suspect networks (see below on counts per /24).</div><div><br></div><div> -A INPUT -p tcp -m multiport --dports 9080,9443 -m connlimit --connlimit-upto 360 --connlimit-mask 24 -m hashlimit --hashlimit-upto</div><div>20/second --hashlimit-mode srcip --hashlimit-srcmask 24 --hashlimit-name mask24 -j ACCEPT</div><div><br></div><div>With these settings, there are no stability issues.<br></div><div><br></div><div>Regards</div><div><br></div><div><br></div><div>Frequent offenders of rate limit are (to name a few):</div><div><div>37.48.86.*<br></div><div>51.15.161.*</div><div>95.211.95.*</div><div>212.32.226.*</div><div>199.115.112.*<br></div><div>213.227.137.*</div><div>54.36.51.*<br></div></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 21 Dec 2017 at 21:21 mick <<a href="mailto:mbm@rlogin.net">mbm@rlogin.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, 20 Dec 2017 17:22:54 +0100<br>
<a href="mailto:fcornu@wardsback.org" target="_blank">fcornu@wardsback.org</a> allegedly wrote:<br>
<br>
> Hi<br>
><br>
> I'm the happy maintainer of wardsback :<br>
> B143D439B72D239A419F8DCE07B8A8EB1B486FA7<br>
<br>
And I run 0xbaddad - EA8637EA746451C0680559FDFF34ABA54DDAE831 a guard<br>
(though whether it stays a guard depends. It keeps falling over.)<br>
><br>
> As many of us have noticed, many guard nodes are beeing abused by<br>
> extremely high numbers of connection attempts.<br>
> Thanks to some of you guys, I manged to put some mitigation in place<br>
> [0] and I assume many of us did as well.<br>
<br>
I'm still looking at mitigation. I'd rather not add iptables filter<br>
rules because it feels like the wrong thing to do (I might hurt<br>
legitimate connections) and at the wrong end of the stack. I'd prefer<br>
there to be mitigations available at the application end (Tor itself).<br>
But realistically I know that that is difficult and the Tor developer<br>
team are still working hard at this problem. (As an aside, I'd be very<br>
grateful for any feedback from other relay operators who /have/ added<br>
iptables "connlimit" rules. What is your view either way?)<br>
<br>
I'm only sticking my head above the parapet now to note what I am<br>
seeing.<br>
<br>
So: My logs show Tor staying up for around 10 minutes at a time before<br>
rebooting with the following sort of entries:<br>
<br>
Dec 21 16:25:44.000 [notice] Performing bandwidth self-test...done.<br>
Dec 21 16:35:20.000 [notice] Tor 0.3.1.9 (git-df96a13e9155c7bf) opening<br>
log file. Dec 21 16:35:20.946 [notice] Tor 0.3.1.9<br>
(git-df96a13e9155c7bf) running on Linux with Libevent 2.0.21-stable,<br>
OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2. Dec 21<br>
16:35:20.947 [notice] Tor can't help you if you use it wrong! Learn how<br>
to be safe at <a href="https://www.torproject.org/download/download#warning" rel="noreferrer" target="_blank">https://www.torproject.org/download/download#warning</a> Dec<br>
21 16:35:20.947 [notice] Read configuration file<br>
"/usr/share/tor/tor-service-defaults-torrc". Dec 21 16:35:20.947<br>
[notice] Read configuration file "/etc/tor/torrc". Dec 21 16:35:20.951<br>
[notice] Based on detected system memory, MaxMemInQueues is set to 369<br>
MB. You can override this by setting MaxMemInQueues by hand. Dec 21<br>
16:35:20.952 [notice] Opening Control listener on <a href="http://127.0.0.1:9051" rel="noreferrer" target="_blank">127.0.0.1:9051</a> Dec 21<br>
16:35:20.953 [notice] Opening OR listener on <a href="http://0.0.0.0:9001" rel="noreferrer" target="_blank">0.0.0.0:9001</a> Dec 21<br>
16:35:20.000 [notice] Not disabling debugger attaching for unprivileged<br>
users. Dec 21 16:35:21.000 [notice] Parsing GEOIP IPv4<br>
file /usr/share/tor/geoip. Dec 21 16:35:21.000 [notice] Parsing GEOIP<br>
IPv6 file /usr/share/tor/geoip6. Dec 21 16:35:22.000 [notice]<br>
Configured to measure statistics. Look for the *-stats files that will<br>
first be written to the data directory in 24 hours from now. Dec 21<br>
16:35:22.000 [notice] Your Tor server's identity key fingerprint is<br>
'0xbaddad EA8637EA746451C0680559FDFF34ABA54DDAE831' Dec 21 16:35:22.000<br>
[notice] Bootstrapped 0%: Starting Dec 21 16:35:31.000 [notice]<br>
Starting with guard context "default" Dec 21 16:35:31.000 [notice]<br>
Bootstrapped 80%: Connecting to the Tor network Dec 21 16:35:31.000<br>
[notice] Signaled readiness to systemd Dec 21 16:35:31.000 [notice]<br>
Opening Control listener on /var/run/tor/control Dec 21 16:35:31.000<br>
[notice] Bootstrapped 85%: Finishing handshake with first hop Dec 21<br>
16:35:32.000 [warn] Problem bootstrapping. Stuck at 85%: Finishing<br>
handshake with first hop. (Connection refused; CONNECTREFUSED; count<br>
10; recommendation warn; host CD14AE63A02686BAE838A8079449B480801A8A5F<br>
at <a href="http://195.181.208.180:443" rel="noreferrer" target="_blank">195.181.208.180:443</a>) Dec 21 16:35:32.000 [warn] 9 connections have<br>
failed: Dec 21 16:35:32.000 [warn] 9 connections died in state<br>
connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]<br>
Problem bootstrapping. Stuck at 85%: Finishing handshake with first<br>
hop. (Connection refused; CONNECTREFUSED; count 11; recommendation<br>
warn; host 500FE4D6B529855A2F95A0CB34F2A10D5889E8C1 at<br>
<a href="http://134.19.177.109:443" rel="noreferrer" target="_blank">134.19.177.109:443</a>) Dec 21 16:35:32.000 [warn] 10 connections have<br>
failed: Dec 21 16:35:32.000 [warn] 10 connections died in state<br>
connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]<br>
Problem bootstrapping. Stuck at 85%: Finishing handshake with first<br>
hop. (Connection refused; CONNECTREFUSED; count 12; recommendation<br>
warn; host 3DE7762DD6165FD70C74BD02A6589C8C0C1B020A at<br>
<a href="http://62.210.76.88:9001" rel="noreferrer" target="_blank">62.210.76.88:9001</a>) Dec 21 16:35:32.000 [warn] 11 connections have<br>
failed: Dec 21 16:35:32.000 [warn] 11 connections died in state<br>
connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]<br>
Problem bootstrapping. Stuck at 85%: Finishing handshake with first<br>
hop. (Connection refused; CONNECTREFUSED; count 13; recommendation<br>
warn; host 03DC081E4409631006EFCD3AF13AFAAF2B553FFC at<br>
<a href="http://185.32.221.201:443" rel="noreferrer" target="_blank">185.32.221.201:443</a>) Dec 21 16:35:32.000 [warn] 12 connections have<br>
failed: Dec 21 16:35:32.000 [warn] 12 connections died in state<br>
connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]<br>
Problem bootstrapping. Stuck at 85%: Finishing handshake with first<br>
hop. (Connection refused; CONNECTREFUSED; count 14; recommendation<br>
warn; host 51939625169E2C7E0DC83D38BAE628BDE67E9A22 at<br>
<a href="http://109.236.90.209:443" rel="noreferrer" target="_blank">109.236.90.209:443</a>) Dec 21 16:35:32.000 [warn] 13 connections have<br>
failed: Dec 21 16:35:32.000 [warn] 13 connections died in state<br>
connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]<br>
Problem bootstrapping. Stuck at 85%: Finishing handshake with first<br>
hop. (Connection refused; CONNECTREFUSED; count 15; recommendation<br>
warn; host 500FE4D6B529855A2F95A0CB34F2A10D5889E8C1 at<br>
<a href="http://134.19.177.109:443" rel="noreferrer" target="_blank">134.19.177.109:443</a>) Dec 21 16:35:32.000 [warn] 14 connections have<br>
failed: Dec 21 16:35:32.000 [warn] 14 connections died in state<br>
connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]<br>
Problem bootstrapping. Stuck at 85%: Finishing handshake with first<br>
hop. (Connection refused; CONNECTREFUSED; count 16; recommendation<br>
warn; host 03DC081E4409631006EFCD3AF13AFAAF2B553FFC at<br>
<a href="http://185.32.221.201:443" rel="noreferrer" target="_blank">185.32.221.201:443</a>) Dec 21 16:35:32.000 [warn] 15 connections have<br>
failed: Dec 21 16:35:32.000 [warn] 15 connections died in state<br>
connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000<br>
[notice] Bootstrapped 90%: Establishing a Tor circuit Dec 21<br>
16:35:33.000 [warn] Problem bootstrapping. Stuck at 90%: Establishing a<br>
Tor circuit. (Connection refused; CONNECTREFUSED; count 17;<br>
recommendation warn; host 1FA8F638298645BE58AC905276680889CB795A94 at<br>
<a href="http://185.129.249.124:9001" rel="noreferrer" target="_blank">185.129.249.124:9001</a>) Dec 21 16:35:33.000 [warn] 16 connections have<br>
failed: Dec 21 16:35:33.000 [warn] 16 connections died in state<br>
connect()ing with SSL state (No SSL object) Dec 21 16:35:33.000 [warn]<br>
Problem bootstrapping. Stuck at 90%: Establishing a Tor circuit.<br>
(Connection refused; CONNECTREFUSED; count 18; recommendation warn;<br>
host DAC825BBF05D678ABDEA1C3086E8D99CF0BBF112 at <a href="http://185.73.220.8:443" rel="noreferrer" target="_blank">185.73.220.8:443</a>) Dec<br>
21 16:35:33.000 [warn] 17 connections have failed: Dec 21 16:35:33.000<br>
[warn] 17 connections died in state connect()ing with SSL state (No<br>
SSL object) Dec 21 16:35:33.000 [notice] Tor has successfully opened a<br>
circuit. Looks like client functionality is working. Dec 21<br>
16:35:33.000 [notice] Bootstrapped 100%: Done<br>
<br>
So - I get loads of CONNECTREFUSED whilst coming up (presumably because<br>
of the attack) and then come fully back online. "netstat" then shows my<br>
connections rising rapidly to around the 10,000-11,000 "ESTABLISHED"<br>
mark before it all goes wrong again.<br>
<br>
As others have noted I see multiple connections from OVH (netblock<br>
54.36.51/24 (around 1200, when I normally only see a max of 200 or so<br>
per /24, and a more normal dozen or so per /24). The next largest,<br>
at around 700-800 is 144.76.175/24 (Hetzner Online). I don't recall<br>
seeing that level of connections in the past.<br>
<br>
If anyone wants more info, let me know.<br>
<br>
Best<br>
<br>
Mick<br>
<br>
---------------------------------------------------------------------<br>
Mick Morgan<br>
gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312<br>
<a href="http://baldric.net" rel="noreferrer" target="_blank">http://baldric.net</a><br>
<br>
---------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
tor-relays mailing list<br>
<a href="mailto:tor-relays@lists.torproject.org" target="_blank">tor-relays@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays" rel="noreferrer" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a><br>
</blockquote></div>