Hi there,

I've read the latest Release-Notes an heard about the high memory usage issue.

When I was checking on my WIndows Relay today, I was shocked when I recognized it had 95% memory usage.

Interestingly, the high usage (>5GB) came from the Windows Terminal Session, in which I started the relay, not the resultiung tor.exe process itself.

Luckily, either windows or the tor application itself managed to selfheal without crash, so after 5 Minutes, the memory usage was at normal level (~450MB) again.

I have attached you the Log of the Relay, even thought I don't think it will help much. There are many rejected connections, but from what I've learned this is normal.

Affected Relay Nickname: ProSecureRelay OS: Windows x64 

If you have the time, I have two questions:

First Question:

Is there any way to configure my relay as AROI? I tried it with the torrc file approach but then, my tor relay failed to start.

I added "TrustedAROI" alone. I also tried "TrustedAROI tor.mydomain.fr" etc. to the torrc file but nothing worked.

If it is required, I have an extra sub-domain for tor - but DNSSEC would lead to double the cost, so I "can't" do that right now.

Second Question:

I tried to add the parameter Address mydomain.fr to the torrc file to ensure proper IPv6 Connectivity.
We have Street-Work ongoing and in rare cases there was a DSL-Resync, and only the new IPv4 can be discovered by tor without restarting the relay. For IPv6, it does the OR-Port Test for the old IPv6 Adress, even after days.

When I add the adress parameter like "address myrelay.fr" it finds the IPv4 Adress and then gets a nasty locking stack error, so I removed it and rely on the directory ip guess function.

Random Security Observations

Additionally I wanna report a very odd firewall log entry, which i found on the windows firewall, it was an incoming connection, one time from netherlands and the other time from france, Source Port 1 - Target Port 5. I really don't know how this could pass my 2-Layer Firewall Concept, as only the OR-Port is allowed to pass and I did Port-Scans on myself without any undocumented open Ports found.

The only way I can imagine that this trafffic came from tor.exe itself. At this point, I had a BitCoin-Core Instance running, which connected to another tor.exe - configured as SOCKS Proxy only and additionally reachable via IPv4/6. I had running this under two different users to ensure an exploited user-session could not take the fingerprints etc, of the other instance at risk.

After this "incident", even though the traffic was blocked, i moved the bitcoin service on a different server. But neither on the relay, nor on the bitcoin server this weird block could be observerd again.

Finally I wanna mention it is so interesting/fun to see the firewall logs since I started the Relay Operation, like what the hell is going on - ICMP Redirect Attacks, Packets from Private 192.168.6.X Adresses, Port-Scans and State-Table Overflow Attempts - even DDoS Attacks with 100Mbits Max for about 12 Hours and last but not least, ICMPs from Kursk Oblast to TU Darmstadt DE.

Sorry for the long mail.

Have nice weekend and best regards!

Joker

PS: Tor 0.4.8.20 for Windows - when? My update-monk is raging. ;D