Re: Out-of-Memory-Attack & DoS from Tor-Client
Hi there, It's very unfortunate, but I don't have the Logs due to initial mistake I made, not setting up a Logfile. In the updated torrc file, i recently added it but I thought it is not worth a restart to implement this. Now it works. But I saw the relay logs in the cmd during the attack, and there was nothing unusal at all, except for the high rejection rates. The Out-of-Memory was also an Error that came from Windows, not the tor-process itself. I'm a bit positive surprised by the Windows Memory Management, all System Processes and the OS were unaffected by the attack. Additionally I have an powershell-script that monitores the tor.exe and restarts it after 2 minutes of "cool-down" if it crashes for 3 times. This was the first time it was ever needed, and I hope next time is not soon. Then I will also try the stupid oversize approach.. ;) About the Firewall Topic: I've read this manual you sent before, but I think its impossible with the windows firewall implementation. That's one weakness of closed source, either it matches the use case or you have to go for something completely different. The Windows Firewall is not statefull, but I had implemented very restrictive rules since the first day. However, this is limited by allowing only the tor.exe and related stuff to send and recieve traffic. If you would try to open a new process not listed, communication would fail. But fancy "real-time" stuff - not a chance. I mean creating some rules via powershell no prob, but how to analyse the concurrent, tor related connections (grabbing netstat?!) - sounds difficult and ressource heavy to me, and I'm sadly not a coding expert. In total there are 3 Firewalls between Internet and Tor, one Open-Source, one proprietary and the Windows Firewall, maybe I can stop this happening at another point in the network. I'll dig a bit deeper when I have the time, next step planned is implement Windows Applikation Control, so only the tor.exe I've made a checksum beforehand, is allowed to run. But thats a different topic. Thank you very much for your suggestions and maybe other hints/tips! Best regards, Joker
Am 03.12.2025 um 20:07:53 Uhr schrieb ProSecureRelays via tor-relays:
The Windows Firewall is not statefull, but I had implemented very restrictive rules since the first day.
Since when? I though it can be configured to act as an SPI firewall, which is default, so all outgoing traffic is allowed and the matching incoming traffic too. Is that a current version of Windows or an ancient one? -- Gruß Marco Send unsolicited bulk mail to 1764788873muell@cartoonies.org
Re: firewall, Yes you're correct, there's really no way to implement those rules with the windows firewall. To be honest I've been thinking about running tor within WSL on Windows as an experiment. Don't know if it can be done but I don't see a reason why it should not be possible. Best of all, there's no overhead of a traditional virtual machine. I'm currently running an Xray VPN on an Ubuntu instance within WSL on Windows 11 Pro and it's working flawlessly. On 12/3/2025 2:07 PM, ProSecureRelays via tor-relays wrote:
Hi there,
It’s very unfortunate, but I don’t have the Logs due to initial mistake I made, not setting up a Logfile.
In the updated torrc file, i recently added it but I thought it is not worth a restart to implement this. Now it works.
But I saw the relay logs in the cmd during the attack, and there was nothing unusal at all, except for the high rejection rates.
The Out-of-Memory was also an Error that came from Windows, not the tor-process itself.
I’m a bit positive surprised by the Windows Memory Management, all System Processes and the OS were unaffected by the attack.
Additionally I have an powershell-script that monitores the tor.exe and restarts it after 2 minutes of „cool-down“ if it crashes for 3 times.
This was the first time it was ever needed, and I hope next time is not soon. Then I will also try the stupid oversize approach.. ;)
*_About the Firewall Topic:_*
I’ve read this manual you sent before, but I think its impossible with the windows firewall implementation.
That’s one weakness of closed source, either it matches the use case or you have to go for something completely different.
The Windows Firewall is not statefull, but I had implemented very restrictive rules since the first day.
However, this is limited by allowing only the tor.exe and related stuff to send and recieve traffic.
If you would try to open a new process not listed, communication would fail. But fancy „real-time“ stuff – not a chance.
I mean creating some rules via powershell no prob, but how to analyse the concurrent, tor related connections (grabbing netstat?!) – sounds difficult and ressource heavy to me, and I’m sadly not a coding expert.
In total there are 3 Firewalls between Internet and Tor, one Open-Source, one proprietary and the Windows Firewall, maybe I can stop this happening at another point in the network.
I’ll dig a bit deeper when I have the time, next step planned is implement Windows Applikation Control, so only the tor.exe I’ve made a checksum beforehand, is allowed to run.
But thats a different topic.
Thank you very much for your suggestions and maybe other hints/tips!
Best regards,
Joker
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
participants (3)
-
Chris Enkidu-6 -
Marco Moock -
ProSecureRelays