On Apr 12, 2014, at 12:34 , Scott Bennett wrote:
[...] the sporadic, sudden mobbing of relays by tens to hundreds of times as many incoming connections as those relays normally get, often for up to several hours at a time. Systems whose CPUs are not powerful enough to keep up with the heavy influx of onions to be peeled become bogged down, sometimes to the point of their kernel listen queues overflowing and X servers becoming unresponsive. [...] My conclusion is that the massive (in relation to the background) rates of inbound connections are accesses to the hidden services directory part of a tor relay. Since becoming aware of Heartbleed a few days ago, I have been wondering whether the NSA or some other criminal group(s) or individual(s) might be using untraceable connections to HSDir-flagged relays to acquire lots of memory contents illegally with relay operators noticing the events main;y because of their deleterious effects on system performance.
I run a relay on a low-powered machine and I see this happening from time to time. Sometimes multiple times per week, sometimes not for a few weeks.
In my case, during those times I also have way more download traffic than upload, so I become a data sink hole. If this were a data gathering attack, I would expect the opposite: more upload than download, altho this may be (somewhat) specific to me as I have an older openssl which is supposedly unaffected.
My (less sexy) theory is that this is caused by clients using bittorrent over Tor and aggressively creating and abandoning connections without properly disconnecting, causing the imbalance between download and upload traffic.
I never tried disabling HSDir but will do so at some point to test whether it stops these episodes from happening.
-Job