@tor-relays:
Sorry for being quite noisy recently but I really need to know how
many people are suffering from the same madness I am encountering
right now.
Quick excerpt from the log:
...
Mar 22 09:48:10 <hostname_redacted> tor[pid_redacted]: Mar 22
09:48:10.000 [warn] Your computer is too slow to handle this many
circuit creation requests! Please consider using the
MaxAdvertisedBandwidth config option or choosing a more restricted
exit policy. [12420 similar message(s) suppressed in last 120 seconds]
Mar 22 09:49:10 <hostname_redacted> tor[pid_redacted]: Mar 22
09:49:10.000 [warn] Your computer is too slow to handle this many
circuit creation requests! Please consider using the
MaxAdvertisedBandwidth config option or choosing a more restricted
exit policy. [31764 similar message(s) suppressed in last 60 seconds]
Mar 22 09:50:10 <hostname_redacted> tor[pid_redacted]: Mar 22
09:50:10.000 [warn] Your computer is too slow to handle this many
circuit creation requests! Please consider using the
MaxAdvertisedBandwidth config option or choosing a more restricted
exit policy. [104748 similar message(s) suppressed in last 60 seconds]
Mar 22 09:51:10 <hostname_redacted> tor[pid_redacted]: Mar 22
09:51:10.000 [warn] Your computer is too slow to handle this many
circuit creation requests! Please consider using the
MaxAdvertisedBandwidth config option or choosing a more restricted
exit policy. [364165 similar message(s) suppressed in last 60 seconds]
Mar 22 09:52:10 <hostname_redacted> tor[pid_redacted]: Mar 22
09:52:10.000 [warn] Your computer is too slow to handle this many
circuit creation requests! Please consider using the
MaxAdvertisedBandwidth config option or choosing a more restricted
exit policy. [509474 similar message(s) suppressed in last 60 seconds]
Mar 22 09:53:10 <hostname_redacted> tor[pid_redacted]: Mar 22
09:53:10.000 [warn] Your computer is too slow to handle this many
circuit creation requests! Please consider using the
MaxAdvertisedBandwidth config option or choosing a more restricted
exit policy. [241332 similar message(s) suppressed in last 60 seconds]
...
This then goes on for a while, stopping at a few million suppressed
messages / circuit creation attempts.
Sorry, but 1 million circuit creation requests in just 5 minutes,
there is no way that this is legitimate behavior we are seeing - this
is also what was previously used to get my relay oom-killed but that I
have fixed so the legitimate clients hopefully don't suffer too much
anymore.
If any other relay operators are encountering the same log entries or
behavior, please don't hesitate to reply.
Added tor-dev(a)lists.torproject.org as a CC as they might want to know
about this.
@tor-dev:
I suspect some kind of denial-of-service attack against onion services
or a more targeted attack against singular relays for guard discovery
/ traffic confirmation attacks.
Might be smart to add some code which, if this scenario is triggered,
lists offenders by hashes of their signing keys (if relay), or IP
addresses (if client).
There doesn't seem to be a defense against this, and the new connect()
rate-limit added through ticket 40253 also won't handle this as the
connection is already ACK'd and established, and a malicious relay
with custom source code could do whatever it was programmed to do
anyway.
- William