No clue what they are doing, but they max out the Exist with 100% CPU load and do not transport a lot of traffic:
https://imgur.com/a/NzpE69B https://imgur.com/a/NzpE69B
Around 16-21 there should be more traffic and this was DDOS time.
I am 100% sure its not bogus traffic just send to my IPs to max out my uplinks, because:
https://www.peeringdb.com/net/22652 https://www.peeringdb.com/net/22652
you need at least 120 gigabit to kill my uplinks.
I love dull, I love dull sooooo much. I want to marry dull.
nifty
On 25. Aug 2020, at 21:20, Roger Dingledine arma@torproject.org wrote:
On Tue, Aug 25, 2020 at 06:49:01PM +0000, John Ricketts wrote:
I as well.
On Aug 25, 2020, at 13:45, niftybunny abuse-contact@to-surf-and-protect.net wrote:
?Daily DDOS love the last 14 days ...
Hi! Can you provide more details? From Nifty's picture it looks like they are full TCP connections? Do you have a sense of what do they do when they connect?
And that would mean that they *aren't* packet-level ddoses, i.e. the "I fill up your network connection with packets so no other packets can get through" kind?
One of the strange things about working with things at the scale of the Tor network is that sometimes the combined behavior of many Tor processes can look like a DDoS. For example, maybe all of these connections come from out-of-date Tors that are now behaving bizarrely since the network now doesn't work the way their old logic expects.
We've also seen what looks like DDoS attempts on the directory authorities, but on closer examination they are some alternative Tor implementation that is running on many thousands of computers and is fetching Tor consensus documents in a way that isn't sustainable: https://gitlab.torproject.org/tpo/core/tor/-/issues/33018
There are also apparently some overloading attacks happening on some popular onion services currently, and I wonder if those are bleeding over into looking like many connections. Or, as we saw a few years ago when we added the "ddos defense subsystem" in Tor, the attacks didn't actually add much load, but it was when the onion services tried to scale up to tens of thousands of Tors, to be able to respond to every incoming rendezvous attempt, that those tens of thousands of Tors together looked like an attack on the network.
So: the next step would be to try to learn more about what these connections look like, where they're coming from, what they're doing, etc.
Also, if more people than just Nifty and John are seeing them.
Never a dull moment, --Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays