On Sun, Dec 07, 2014 at 01:43:46PM +0100, Logforme wrote:
To me it looks like an attacker that ramped up over a 6 hour period and then stopped building new circuits. Since the tor process still uses all available memory (more than 24 hours later) I guess the attacker still holds some circuits open.
Careful with your conclusion there -- because of memory fragmentation, the process can still hold the memory even when Tor has freed the memory. That happens because some part of the memory page is in use and some is freed, but since not all of it is freed the allocator doesn't take it back.
Some quick searches point to https://www.ibm.com/developerworks/community/blogs/kevgrig/entry/linux_nativ... as what looks like a nice summary of the issue.
--Roger