DoS on my non-exit relay? Or just oversensitive DoS "protection"?
Hi, The provider of my non-exit "silentrocket" told me they temporarily disconnected the server from their network because of a DoS attack against the machine. https://atlas.torproject.org/#details/7A32C9519D80CA458FC8B034A28F5F6815649A... They sent me some details of what they think is a DoS attack (date and time omitted ...): ########################################### Attack type: DoS_IN Attacked IP: 82.223.21.74 ########################################### Source Address Source Port Destination Address Destination Port Frames 193.171.202.146 TCP:9001 82.223.21.74 TCP:61078 21440736 176.10.104.243 TCP:443 82.223.21.74 TCP:25817 11203344 185.29.8.132 TCP:443 82.223.21.74 TCP:56708 8160360 58.58.170.2 TCP:443 82.223.21.74 TCP:61980 7840824 144.76.14.145 TCP:143 82.223.21.74 TCP:19866 6240664 195.154.209.91 TCP:443 82.223.21.74 TCP:20229 4808568 192.42.113.102 TCP:9001 82.223.21.74 TCP:62658 4328568 83.146.80.152 TCP:39898 82.223.21.74 TCP:9001 3041584 87.98.162.251 TCP:443 82.223.21.74 TCP:60948 2240040 188.138.9.49 TCP:9001 82.223.21.74 TCP:13349 2240000 93.145.122.187 TCP:60469 82.223.21.74 TCP:9001 1920016 104.236.92.66 TCP:1337 82.223.21.74 TCP:48838 1760248 5.248.227.163 TCP:9001 82.223.21.74 TCP:28976 1760240 109.104.12.92 TCP:9001 82.223.21.74 TCP:15808 1601224 46.101.237.246 TCP:9001 82.223.21.74 TCP:18393 1600784 212.47.239.187 TCP:443 82.223.21.74 TCP:6669 1600000 212.117.180.130 TCP:443 82.223.21.74 TCP:37114 1440000 37.187.17.67 TCP:38547 82.223.21.74 TCP:9001 1281176 37.157.193.107 TCP:49192 82.223.21.74 TCP:9001 804896 193.11.164.243 TCP:9001 82.223.21.74 TCP:62265 800040 I am not sure whether it really looks like a DoS attack or if is just many "normal" tor packets hammering on the small server which are misunderstood as a DoS. They are coming from a remote's maschines tor port and going to some random port om my server suggesting the packets are simply a reply to some connection my server opened. The server ran fine for several months but now I get a disconnection notice several times a day. Maybe there is really a DoS, maybe their automatic DoS protection reacts too fast, maybe they are just fed up with the traffic the relay causes and want to make things hard for me. Do you have any (educated) guesses what might be going on here? Thank you very much, Sebastian
Hey, Since last ddos subject here, I've added a graph on my Munin node. The graph will show the number of TCP connections used, and I think it can be useful to see if there are some spikes = may be DoS attacks...? So if you have Munin running on your relay, it can be activated by creating a symlink "/etc/munin/plugins/tcp" to "/usr/share/munin/plugins/tcp" Le 10/08/2016 à 09:39, Sebastian Niehaus a écrit :
I am not sure whether it really looks like a DoS attack or if is just many "normal" tor packets hammering on the small server which are misunderstood as a DoS.
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
Oops, forgot to say on my middle relay, 5MB/s up/down, TCP sockets is usually between 3000 and 4000...... Le 10/08/2016 à 10:57, Petrusko a écrit :
Hey,
Since last ddos subject here, I've added a graph on my Munin node. The graph will show the number of TCP connections used, and I think it can be useful to see if there are some spikes = may be DoS attacks...? So if you have Munin running on your relay, it can be activated by creating a symlink "/etc/munin/plugins/tcp" to "/usr/share/munin/plugins/tcp"
Le 10/08/2016 à 09:39, Sebastian Niehaus a écrit :
I am not sure whether it really looks like a DoS attack or if is just many "normal" tor packets hammering on the small server which are misunderstood as a DoS.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
participants (2)
-
Petrusko -
Sebastian Niehaus