Sebastian Urbach schreef op 26/12/14 om 14:05:
On December 26, 2014 12:41:51 PM Christian Burkert post@cburkert.de wrote:
Hi,
I'm running a non-exit Tor node for a few months now on a virtual server hosted in a professional datacenter.
Thank you !
Yesterday, December 25th, the support wrote me, that my server is under a DDoS attack with 2GBit/s lasting over more than two hours. So, the hoster black holed my traffic to protect the other customers.
I've seen this behaviour from some ISP's before and it's rather sad. If something like this happens my ISP is taking care of it without disabling my systems. I'm just getting a note with all the technical information and that's it.
The hoster wanted to know which services I'm running and told me that if I continue running Tor and further attacks will happen, then I would have to bear the costs. Eventually, I took down the Tor node to avoid further confrontation.
That's interesting, they gave you some infos like the time and the amount but nothing else ? Seems to me that they're pretty clueless and are fishing in the dark. Another reason for their behaviour could be that they want to get rid of you / your Tor node. Threatening customers is really sad, sounds like they heard the word Tor from you and then concluded "oh, than he basically asked for the attack".
Now I seek for your interpretation of this event:
- Has there been more recent incidents against Tor nodes?
Nothing with that magnitude on my end for weeks.
- How can I investigate it?
You can ask your ISP for their logs regarding that attack. Do you have any logs on your system, maybe from a intrusion detection or anything else ?
- How should one react to a hoster? I mean they could have made up the
whole thing...
If you are already considering this than i would recommend changing to another ISP, sounds like there is already some distrust.
Looking forward to your comments Chris
In the context of a shared virtual server (VPS), null-routing traffic seems like a good way to protect other customers on the same machine. It's common for VPS hosts to have a single or double 1Gbit/s link to each machine, and a 2Gbit/s DDoS attack would cause that to be completely utilized, disrupting service for other customers.
I haven't seen any significant attacks on my Tor nodes recently. There's the usual 1Gbit/s spike for a few minutes sometimes, but they never last long.
Tom