No clue what they are doing, but they max out the Exist with 100% CPU load and do not transport a lot of traffic:

https://imgur.com/a/NzpE69B

Around 16-21 there should be more traffic and this was DDOS time.

I am 100% sure its not bogus traffic just send to my IPs to max out my uplinks, because: 

https://www.peeringdb.com/net/22652

you need at least 120 gigabit to kill my uplinks.

I love dull, I love dull sooooo much. I want to marry dull.

nifty



On 25. Aug 2020, at 21:20, Roger Dingledine <arma@torproject.org> wrote:

On Tue, Aug 25, 2020 at 06:49:01PM +0000, John Ricketts wrote:
I as well.

On Aug 25, 2020, at 13:45, niftybunny <abuse-contact@to-surf-and-protect.net> wrote:

?Daily DDOS love the last 14 days ...

Hi! Can you provide more details? From Nifty's picture it looks like
they are full TCP connections? Do you have a sense of what do they do
when they connect?

And that would mean that they *aren't* packet-level ddoses, i.e. the
"I fill up your network connection with packets so no other packets can
get through" kind?

One of the strange things about working with things at the scale of the
Tor network is that sometimes the combined behavior of many Tor processes
can look like a DDoS. For example, maybe all of these connections come
from out-of-date Tors that are now behaving bizarrely since the network
now doesn't work the way their old logic expects.

We've also seen what looks like DDoS attempts on the directory
authorities, but on closer examination they are some alternative Tor
implementation that is running on many thousands of computers and is
fetching Tor consensus documents in a way that isn't sustainable:
https://gitlab.torproject.org/tpo/core/tor/-/issues/33018

There are also apparently some overloading attacks happening on some
popular onion services currently, and I wonder if those are bleeding
over into looking like many connections. Or, as we saw a few years ago
when we added the "ddos defense subsystem" in Tor, the attacks didn't
actually add much load, but it was when the onion services tried to scale
up to tens of thousands of Tors, to be able to respond to every incoming
rendezvous attempt, that those tens of thousands of Tors together looked
like an attack on the network.

So: the next step would be to try to learn more about what these
connections look like, where they're coming from, what they're doing, etc.

Also, if more people than just Nifty and John are seeing them.

Never a dull moment,
--Roger

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays