On Sun, Mar 4, 2018 at 7:06 PM, Toralf Förster toralf.foerster@gmx.de wrote:
On 03/04/2018 07:41 PM, Dhalgren Tor wrote:
the main event-worker thread going from a normal load level of about 30%/core to 100%/core and staying there for about 30 seconds;
I do wonder if this is just the normal behaviour when - IIRC correctly - consensus documents are compressed before sending.
No chance whatsoever. Relay runs for months-on-end never exceeding 40% CPU. Have seen the same or a similar attack, twice before I believe under 0.2.9.14. Just realized the ISP added some bugs to their data graphs: in this case _ingress_ traffic is 3-4% higher than egress (they reversed the labels along with breaking long-term historical). Earlier observed a similar attack where _egress_ traffic was 10-15% higher than ingress traffic.
What's interesting here is the crypto-worker threads are near zero (normal) in contrast to circuit-extend attacks where the crypto threads peg at 100%. Did see one brief, intense crypto- worker CPU spike today but it's not characteristic of this event in general.