Hi there,

i just want to report two partially successfull DoS Attacks on my Relay:

First attack:

Occured yesterday. The tor process showed massive traffic, much more my upload ( 45 Mbits) could handle.

I don’t know how in detail this worked, but I had receiving traffic at about 40Mbits and the relay tried to send about 100Mbits towards WAN.

Because I didn’t know if this was harmful traffic for the tor network, I finally pulled the plug and obtained a new IP after about 4 hours into the attack.

I had the feeling that a short time, there was still unusual sending/recieving ratio, but all related to tor.exe and it stabilized soon after.

My Guess ist hat a malformed packet was sent by tor, resulting in uncontrolled, unknown traffic to the WAN-Side.

The Realy had 3 DDoS Circuits killed, rejected circuits and introduce 2 at unnormal high rate, also like 117 marked addresses. It sent about 250GB more then it recieved.

The attack is also clearly visible in Tor Metrics, a massive spike in written Bytes can be seen.

Fingerprint: 8AFE4E6F05234B0184327C052B09F10191EAFAF3

Second Attack (today):

Today at about 2 p.m., the memory of the relay spiked to maximum (8GB) and additionally 22GB of virtual memory was used.

This caused the process to die, with an out-of-memory Error.

This also must came from a malformed packet in tor.

Is there any known method to circumvent both of these Issues?

In the first event, i don’t know if the error could have cleared self after some more hours.

Regarding the memory issue, i think this must be resolved in the tor software itself, allthough I thought about adding 64GB of RAM and 256GB Page-File, just to see if it makes any difference in case of attacks.

But I don’t think so.

Best regards,

Joker