<!DOCTYPE html>

<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <div class="moz-cite-prefix">Hi, yes, I think there is a form of

      DDoS happening, but I'm not sure. For example, sampling one of my

      relays shows ~150 ips that are not relays with over 14 connections

      currently. I don't think that amount of connections from a single

      IP makes a lot of sense.</div>

    <div class="moz-cite-prefix"><br>

    </div>

    <div class="moz-cite-prefix">I will say, however, I'm not getting

      overloaded as bad compared to last year/late 2022, or I don't

      think I am at least. Banning IPs that appear to be spamming

      `connect()` helps a bit. Also banning malformed tcp segments also

      helps a bit (think impossible combinations of TCP flags for

      example).<br>

    </div>

    <div class="moz-cite-prefix"><br>

    </div>

    <div class="moz-cite-prefix">On 5/16/2024 2:39 PM, koizoi via

      tor-relays wrote:<br>

    </div>

    <blockquote type="cite"

cite="mid:hzinZjPXHQPmKU7zKdD36FPfEhiue_YOIlbOb-1KEYGZBvRAmLsX7Oedak52VVn7q1yPVEO8-tYrWKP5505Q9ijvQWnpAjp4RwvgvBM1KzU=@proton.me">

      <meta http-equiv="content-type" content="text/html; charset=UTF-8">

      <div style="font-family: Arial, sans-serif; font-size: 14px;">For

        several weeks now, users have been complaining (see <span><a

            target="_blank" rel="noreferrer nofollow noopener"

href="https://www.reddit.com/r/TOR/comments/1cnmsdz/tor_extremely_slow_lately/"

            moz-do-not-send="true" class="moz-txt-link-freetext">https://www.reddit.com/r/TOR/comments/1cnmsdz/tor_extremely_slow_lately/</a></span>, <span><a

            target="_blank" rel="noreferrer nofollow noopener"

href="https://forum.torproject.org/t/is-there-currently-a-major-ddos-affecting-the-networks-availability/12492"

            moz-do-not-send="true" class="moz-txt-link-freetext">https://forum.torproject.org/t/is-there-currently-a-major-ddos-affecting-the-networks-availability/12492</a></span>,

        etc) about degraded performance (slow speeds, timeouts) when

        using Tor, both to access v3 onion sites and clearnet websites.

        In my personal experience, most v3 onion services are responding

        so slowly that they're completely unusable.<br>

      </div>

      <div style="font-family: Arial, sans-serif; font-size: 14px;"><br>

      </div>

      <div style="font-family: Arial, sans-serif; font-size: 14px;">it

        turns out that's it not just people's imaginations, looking at

        charts on metrics.torproject.org, it can be seen that the time

        to complete a 5MiB request over Tor has increased substantially

        (<span><a target="_blank" rel="noreferrer nofollow noopener"

            href="https://ibb.co/tp1CHdh" moz-do-not-send="true"

            class="moz-txt-link-freetext">https://ibb.co/tp1CHdh</a></span>).

        All of this is very reminiscent of the large scale DDoS that

        affected Tor relay nodes in 2022-2023.<br>

      </div>

      <div style="font-family: Arial, sans-serif; font-size: 14px;"><br>

      </div>

      <div style="font-family: Arial, sans-serif; font-size: 14px;">Tor

        relay operators have reported "attacks" on their relays, but

        there haven't been many details about what kind of attacks are

        taking place, other than some people saying that they have been

        TCP SYN flooded. But (to me, anyway) SYN flooding doesn't really

        make a lot of sense as there are so many Tor relay nodes that

        would need to be attacked, (and misconfigured to allow a SYN

        flood attack to work), and even if it were a SYN flood, that

        would cause different behavior than what users have been seeing

        (preventing connections to the Tor network rather than slowing

        them down).<br>

      </div>

      <div style="font-family: Arial, sans-serif; font-size: 14px;"><br>

      </div>

      <div style="font-family: Arial, sans-serif; font-size: 14px;">I

        understand that DDoS attacks on the Tor network might be kind of

        a touchy subject, but it would be good if we could get some

        information from the project leadership as to what's going on,

        what is being done about it, and what Tor relay operators can do

        to help prevent attacks like these from happening.</div>

      <div style="font-family: Arial, sans-serif; font-size: 14px;"><br>

      </div>

      <div style="font-family: Arial, sans-serif; font-size: 14px;">Thanks

        <br>

      </div>

      <div style="font-family: Arial, sans-serif; font-size: 14px;"><br>

      </div>

      <div class="protonmail_signature_block"

        style="font-family: Arial, sans-serif; font-size: 14px;">

        <div

class="protonmail_signature_block-user protonmail_signature_block-empty">

        </div>

        <div class="protonmail_signature_block-proton"> Sent with <a

            target="_blank" href="https://proton.me/"

            rel="noopener noreferrer" moz-do-not-send="true">Proton Mail</a>

          secure email. </div>

      </div>

      <br>

      <fieldset class="moz-mime-attachment-header"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

tor-relays mailing list

<a class="moz-txt-link-abbreviated" href="mailto:tor-relays@lists.torproject.org">tor-relays@lists.torproject.org</a>

<a class="moz-txt-link-freetext" href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays</a>

</pre>

    </blockquote>

    <p><br>

    </p>

  </body>

</html>