Just as a heads up, I got a curt, vague lawsuit threat the other day out of the blue. The guy claimed my node IP took down his (unmentioned) e-commerce sites for some unspecified period of time through a SYN flood. The sites that I could find associated with his email address appeared still up and functional.
Since SYN floods can be spoofed, and since Tor nodes don't really have the resource amplification that typically makes them effective, I'm assuming it's probably just someone who forgot to take their meds for a while and/or who is just making things up to try to chill our tor node off line.
Just in case, here is what I sent in response. If anyone else hears from this guy, feel free to copy and paste.
----------------------------
It seems very unlikely that what you pasted here is due to our Tor router (unless it has been compromised?).
Our node is not capable of transmitting SYN packets on behalf of users fast enough to actually do damage. It is rather expensive for a tor client to generate this type of traffic, and a couple forms of protection mechanisms are built in to the tor router flow control that slow this down. We would be very surprised if this attack actually came through our node, and actually brought down any of your services.
Unlike more direct attacks on your server at the application layer, SYN floods are possible to spoof. This packet could actually be coming from anywhere...
However, in either case, this attack should be simple to block. You can prevent the entire Tor network (not just our router) from sending you traffic by using this exported IP list to generate firewall rules to drop SYN packets: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4&port=...
If this is in fact a SYN flood attack, they may just switch spoofed source IPs on you, though, so an IP block is probably not what you want.
There are plenty of documents online that describe server parameters to help reduce the impact of this attack on your services, depending on your server OS. We recommend looking into them to better protect yourself and your customers.
Thanks
Formless Networking wrote:
Since SYN floods can be spoofed, and since Tor nodes don't really have the resource amplification that typically makes them effective, I'm assuming it's probably just someone who forgot to take their meds for a while and/or who is just making things up to try to chill our tor node off line.
I'm certainly no networking expert, but I didn't think a SYN attack could come from a properly functioning Tor exit anyway -- w/o even getting into how rapidly the packets are sent.
I thought a SYN attack was sending the first packet for a TCP handshake and then not responding to the SYN-ACK coming back. My understanding of Tor is that a user can send information to and receive info from the target IP address via the Tor exit but that the originator has no control over the low level details of that network traffic. I.e. the handshakes (or lack thereof) are controlled by the Tor exit itself. What am I missing?
Jim
On 24.02.2011 22:09, Formless Networking wrote:
Just as a heads up, I got a curt, vague lawsuit threat the other day out of the blue.
I answer every single question regarding my exit node in case someone asks in a somewhat reasonable and polite manner. But I never respond to mails or phone calls threatening me with a lawsuit or in any other way.
cheers Olaf
tor-relays@lists.torproject.org
-
Formless Networking -
Jim -
Olaf Selke