- tor-relays - lists.torproject.org

Re: [tor-relays] Detecting Network Attack [re: exit synflooded]
by Dhalgren Tor 26 Nov '17

26 Nov '17

>Well, it's still going on, and is pretty much ruining Libero :( . Running CentOS 6, here. > >When it's happening it can look like this: > ># netstat -n | grep -c SYN >17696 I run a fast exit and can offer some advice: 1) mitigate bug #18580 (also #21394); is a DNS denial-of-service and could be the problem. either upgrade to 0.3.2.4+ or edit resolve.conf per https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver#Tuningeventdn… also check out https://arthuredelstein.net/exits/ 2) if you continue to experience excessive outbound scanning SYNs, I've found that simply enabling connection tracking helps by implicitly limiting the rate a which connections can originate. If an iptables "-m state --state ESTABLISHED,RELATED -j ACCEPT" rule exists it will turn it on or you could modprobe the module if you don't want to configure incoming connection rules. some useful sysctl.conf changes, run sysctl -p after or reboot # Tor Exit tuning. net.ipv4.ip_local_port_range = 1025 65535 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_max_tw_buckets = 4194304 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_fin_timeout = 30 net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_intvl = 10 net.ipv4.tcp_keepalive_probes = 3 net.netfilter.nf_conntrack_tcp_timeout_established = 1000 net.netfilter.nf_conntrack_checksum = 0 you might see many messages: kernel: nf_conntrack: table full, dropping packet which indicates no connection table slots were available for an outbound connection and that rate limiting is effected state of connection tracking appears in /proc/net/nf_conntrack

4 5

Re: [tor-relays] Pretty sure our exit was being synflooded
by tor＠t-3.net 26 Nov '17

26 Nov '17

I spoke too soon, it seems - the exit is struggling again, with some time spent destroyed today. As I look at what it's doing, it's clear that someone is relaying SYN packets to random ports and also random destination addresses that aren't even alive. The destination hosts and ports continually vary - it never hits multiple destinations on 1 port, and it does not hit multiple ports on 1 host. I presume it is an attack that is intended to degrade this relay's service quality, or otherwise more broadly, degrade Tor. I'm going to reject a few more trojan listen ports, it might help but it isn't a real fix. My thought btw was for Tor to rate-limit syn scanning activity between the client and the first onion router, with the function taking place in that first-hop router, not at the exit.

2 1

Re: [tor-relays] Pretty sure our exit was being synflooded
by tor＠t-3.net 26 Nov '17

26 Nov '17

Thanks for the configuration suggestions. I intentionally set the conntrack limit high, maybe that was not the best thing. I think I'll be putting it back. Removing my extra IPTables code plus adding a reject for :8888 has made the exit behave properly again. I wonder if the best possible course of action for this sort of thing would be within Tor itself. I don't know that it was a single client connection into Tor that was causing all this trouble, but maybe it was. One would think that one client should not be allowed to do something so severe with the TCP that it can single-handedly ruin a fast exit. Maybe a code change that forces a rate-limit that significantly slows down the ability of a single client to roll port scans should be considered by the devs.

2 1

Re: [tor-relays] Detecting Network Attack [re: exit synflooded]
by tor＠t-3.net 26 Nov '17

26 Nov '17

Well, it's still going on, and is pretty much ruining Libero :( . Running CentOS 6, here. Actually, I think from what I'm seeing that it may not exactly be a synflood targeting Libero. I think Libero may be being (ab)used to do massive portscanning or similar. Image should be visible below - it's normal statistics for the 18th through say, part of the 21st, messed up 22ed - 24th and on the 24th me trying different things in an attempt to mitigate (graph is from yesterday). Look at the SYN_SENT2 maximum. When it's happening it can look like this: # netstat -n | grep -c SYN 17696 # Also one tiny part of the netstat looked like this: tcp 0 1 64.113.32.29:33354 <external IP munged>:81 SYN_SENT tcp 0 1 64.113.32.29:39659 <external IP munged>:8888 SYN_SENT tcp 0 1 64.113.32.29:44247 <external IP munged>:87 SYN_SENT tcp 0 1 64.113.32.29:42038 <external IP munged>:8888 SYN_SENT tcp 0 1 64.113.32.29:42077 <external IP munged>:83 SYN_SENT tcp 0 1 64.113.32.29:36282 <external IP munged>:8888 SYN_SENT tcp 0 1 64.113.32.29:46023 <external IP munged>:8888 SYN_SENT Port 8888 is supposedly opened up for listen by a virus.

3 3

Detecting Network Attack [re: exit synflooded]
by grarpamp 26 Nov '17

26 Nov '17

On Fri, Nov 24, 2017 at 6:23 PM, <tor(a)t-3.net> wrote: > Was anyone else's exit being synflooded yesterday and today? There could be a combined monitoring array deployed among all nodes that might start to answer these questions. And further alert on all sorts of interesting network attacks launched at Tor. Software exploits... segmentation / modulation attacks... etc. This is perimeter security 101, and Tor currently has no fence, no guard dogs, not even a janitor you can ask the next day. That's beyond bad. And big oppurtunity for new research project.

2 2

Tor Metrics issue
by Arisbe 25 Nov '17

25 Nov '17

In the immediate past I monitored both my relays and my bridges through atlas. So, now with Tor Metrics, I don't see my bridges. Am I doing something wrong or are they not in the data base? Arisbe

4 5

Re: [tor-relays] Detecting Network Attack [re: exit synflooded]
by tor＠t-3.net 25 Nov '17

25 Nov '17

I went and added a reject for exit to port 8888 and HUPed the process. Maybe this is the fix! :)

1 0

Exit from Different IP from OR Port
by Dr Gerard Bulger 25 Nov '17

25 Nov '17

Direct Exit to a different IP. I naively thought that the proxy lines in torrc could to that via an https proxy. Alas that's not what that line is for! I got an impression from earlier chats a while ago that exiting to a non-advertised IP was regarded as simply not cricket, in that the internet should know the IP or Tor exits exiting. The trouble now is too many are sites apply blanket bans on Tor exits. I failed get a Tor on my VPS to use a VPN as the final exit, as my knowledge of routing is too limited. I kept cutting myself off from the branch I was sitting on fiddling with this remotely. As some exits to do manage this, I wonder if anyone can post be a script or point me in the right direction as to how they do it. Scenario: Set up a VPN connection. Have a script that in effect offers split tunnelling for TOR to allow exit via the VPN. The OR port needs to remain local fixed IP. The default route of the VPN server remains local. Doing everything in and out via most VPNs would not be useful as these services have very dynamic IPs. Gerry >>>Detecting exit nodes is error prone, as you point out. Some exit >>> nodes have their traffic exit a different address than their >>> listening port. Hey does Exonerator handle these? >> Right. It's not trivial for tor to figure out what exit relays are >> multi-homed -- at least not without actually establishing circuits >> and fetching content over each exit relay. >> >> I just finished an exitmap scan and found 17 exit relays that exit >> from an IP address that is different from what's listed in the >> consensus: > This mode of operation, regardless of how it happens, is not in itself > a problem, nor cause for alarm. In fact, the nature of these "exit IP > different than ORPort" relays can and often does assist users in > circumventing censorship... a fundamental use case of Tor. > For instance, the arbitrary automated and blind blocking via dumb > blocklists that prevent even such most basic user activity and human > right to knowledge as simply reading websites via Tor. Such blocking > examples can often be found here: > https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBl > ockingTor > > It's also entirely up to the exit operator to determine if the third > party non contractual / SLA exonerator service is of any particular > use or benefit to them or not... perhaps they have other notary means, > or are immune or not subject to any such legal or jurisdictional > issues, for which it becomes moot. > > Similarly, realtime TorDNSEL and the like could be considered to be > censorship enabling tools. > -----Original Message----- From: tor-relays [mailto:tor-relays-bounces@lists.torproject.org] On Behalf Of teor Sent: 25 November 2017 07:31 To: tor-relays(a)lists.torproject.org Subject: Re: [tor-relays] Tor Metrics issue > On 25 Nov 2017, at 17:36, Arisbe <arisbe(a)cni.net> wrote: > > In the immediate past I monitored both my relays and my bridges through atlas. So, now with Tor Metrics, I don't see my bridges. Am I doing something wrong or are they not in the data base? How do you search for your relays and bridges? T _______________________________________________ tor-relays mailing list tor-relays(a)lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

3 2

Pretty sure our exit was being synflooded.
by tor＠t-3.net 25 Nov '17

25 Nov '17

Was anyone else's exit being synflooded yesterday and today? I put some iptables code in to help, it might have mitigated it. I'm pretty sure our exit "Libero" was being synflooded. Managed to lose all our flags shortly after the instability was (finally) resolved, go figure =p

2 1

Re: [tor-relays] my IP got blocked -> closed
by Patrice 25 Nov '17

25 Nov '17

Hi, I want to tell that the issue is no longer exists. I can now visit ebay, ikea, ect. without a problem. It was like grarpamp said, there was a bunch of malicious software on one of my Computers. Very shameful, there was no virus detection installed. Therefore my tor relay was not the problem but my windows pc. ;-) Thank you for your help! Kind regards Kalle > 2. Re: my IP got blocked (grarpamp) > >>> Detecting exit nodes is error prone, as you point out. Some exit nodes >>> have their traffic exit a different address than their listening >>> port. Hey does Exonerator handle these? >> Right. It's not trivial for tor to figure out what exit relays are >> multi-homed -- at least not without actually establishing circuits and >> fetching content over each exit relay. >> >> I just finished an exitmap scan and found 17 >> exit relays that exit from >> an IP address that is different from what's listed in the consensus: > This mode of operation, regardless of how it happens, is not in > itself a problem, nor cause for alarm. In fact, the nature of these > "exit IP different than ORPort" relays can and often does assist > users in circumventing censorship... a fundamental use case of Tor. > For instance, the arbitrary automated and blind blocking via dumb > blocklists that prevent even such most basic user activity and human > right to knowledge as simply reading websites via Tor. Such blocking > examples can often be found here: > https://trac.torproject.org/projects/tor/wiki/org/doc/ListOfServicesBlockin… > > It's also entirely up to the exit operator to determine if the > third party non contractual / SLA exonerator service is of any > particular use or benefit to them or not... perhaps they have other > notary means, or are immune or not subject to any such legal or > jurisdictional issues, for which it becomes moot. > > Similarly, realtime TorDNSEL and the like could be considered > to be censorship enabling tools. >

1 0