All,
Just adding 0.02c; from the hosts going above 24 connections (my FW limit), the ASN's involved seem to focus on: 5 LEASEWEB-USA-WDC-01 - Leaseweb USA, Inc., US 18 OVH, FR 25 LEASEWEB-NL-AMS-01 Netherlands, NL
That's 48 from the 72 IP's exhibiting this behaviour. Whereby the leaseweb ones are consecutive IP's.
Careful not to share IP's here :-)
All seen from the perspective of SJC01 / 328E54981C6DDD7D89B89E418724A4A7881E3192
Stijn
On 22 Dec 2017, at 16:49, Pascal Terjan wrote:
I got also 17 from ovh (under ip-54-36-51.eu) and plenty of leaseweb.com (didn't count) too but no your-server.de
The OVH ones were interestingly 2 (nearby) consecutive blocks of 4 and 13 IPs (and are not relays)
On 22 December 2017 at 15:23, Tyler Johnson tylrcjhnsn@gmail.com wrote:
Every IP I was checking through Atlas which are part of the mentioned hosts were NOT relays, all client connections.
On Dec 22, 2017 9:20 AM, "niftybunny" abuse@to-surf-and-protect.net wrote:
Thats “only” “relays” with multiple connections to your relay? Interesting to see Hetzner there …
Markus
On 22. Dec 2017, at 16:14, Tyler Johnson tylrcjhnsn@gmail.com wrote:
Out off 133 IPs blocked with my rather aggressive firewall ruleset:
leaseweb.com - 26 your-server.de - 66 ip-54-36-51.eu - 17
That was in < 24hrs.
On Dec 22, 2017 3:38 AM, "niftybunny" abuse@to-surf-and-protect.net wrote:
Short answer:
https://i.imgur.com/8QLptcz.png
Around 15000 - 18000 connections I can see with netstat. Even my 300 mbit exit has less and there a a lot of Leaseweb clients connecting to me ... The interesting thing is, it comes and goes in waves. From 6000 (normal) to 20000 connections within an hour. Someone doesn't like me very much :(
Markus
On 22. Dec 2017, at 08:42, Felix zwiebel@quantentunnel.de wrote:
Am 22-Dec-17 um 08:25 schrieb niftybunny:
Still under heavy attack even with the MaxMemInQueues and 0.3.2.8-rc. I need 2 xeons to push 30 mbit as a guard/middle …
Do you want to share some information:
Type i) (memory exhaustion by too many circuits) What is the memory(top) per tor and its MaxMemInQueues ? How many circuits per hour in log ?
Type ii) (cpu exhaustion by too many 'half open' tor connections) Is your number of open files normal (fw in place) and moderate connection counts per remote IP ?
Type iii) (One fills your server with too many long fat pipes, first ACK and RTT) If on Freebsd, is "mbuf clusters in use" (netstat -m) moderate ? Do you get "kern.ipc.nmbclusters limit reached" in messages ?
-- Cheers, Felix