DoS attack on Tor exit relay
Hello Tor users, Help me with a problem please. I have a small exit/backup & directory VPS in Finland [1]. This last week the server (and Tor) have been overwhelmed with non-Tor IP addresses. This may be a small version of a DoS attack. I took the server down for a few days but when I restarted it the attack was there before Tor users. Eventually, the load caused kernal crash. I noticed this last week, that my Consensus Weight had dropped from 5500 to 68. Does anyone have an efficient way to defeat this ongoing attack? --potlatch [1] 9B31F1F1C1554F9FFB3455911F82E818EF7C7883 TorExitFinland Sent with [ProtonMail](https://protonmail.com) Secure Email.
You can install failtoban, have you a extern firewall ?
Am 31.07.2019 um 05:14 schrieb potlatch <potlatch@protonmail.com>:
Hello Tor users, Help me with a problem please. I have a small exit/backup & directory VPS in Finland [1]. This last week the server (and Tor) have been overwhelmed with non-Tor IP addresses. This may be a small version of a DoS attack. I took the server down for a few days but when I restarted it the attack was there before Tor users. Eventually, the load caused kernal crash. I noticed this last week, that my Consensus Weight had dropped from 5500 to 68. Does anyone have an efficient way to defeat this ongoing attack? --potlatch
[1] 9B31F1F1C1554F9FFB3455911F82E818EF7C7883 TorExitFinland
Sent with ProtonMail Secure Email.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
and is there a firewall on the torexit ?
Am 31.07.2019 um 11:40 schrieb TorGate <torgate@linux-hus.dk>:
You can install failtoban, have you a extern firewall ?
Am 31.07.2019 um 05:14 schrieb potlatch <potlatch@protonmail.com>:
Hello Tor users, Help me with a problem please. I have a small exit/backup & directory VPS in Finland [1]. This last week the server (and Tor) have been overwhelmed with non-Tor IP addresses. This may be a small version of a DoS attack. I took the server down for a few days but when I restarted it the attack was there before Tor users. Eventually, the load caused kernal crash. I noticed this last week, that my Consensus Weight had dropped from 5500 to 68. Does anyone have an efficient way to defeat this ongoing attack? --potlatch
[1] 9B31F1F1C1554F9FFB3455911F82E818EF7C7883 TorExitFinland
Sent with ProtonMail Secure Email.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Reboot your connected device through hw Sent from ProtonMail mobile -------- Original Message -------- On 31 Jul 2019, 18.27, Larry Brandt wrote:
Yes, I have fail2ban installed but the attack is focused on my ORPort 9001. Similarly, I have an external firewall but it permits 9001 port passage.
Thanks for the thoughts, though, --potlatch
On 7/31/2019 2:40 AM, TorGate wrote:
You can install failtoban, have you a extern firewall ?
Am 31.07.2019 um 05:14 schrieb potlatch <potlatch@protonmail.com>:
Hello Tor users, Help me with a problem please. I have a small exit/backup & directory VPS in Finland [1]. This last week the server (and Tor) have been overwhelmed with non-Tor IP addresses. This may be a small version of a DoS attack. I took the server down for a few days but when I restarted it the attack was there before Tor users. Eventually, the load caused kernal crash. I noticed this last week, that my Consensus Weight had dropped from 5500 to 68. Does anyone have an efficient way to defeat this ongoing attack? --potlatch
[1] 9B31F1F1C1554F9FFB3455911F82E818EF7C7883 TorExitFinland
Sent with [ProtonMail](https://protonmail.com) Secure Email.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- 1. When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong. 2. The only way of discovering the limits of the possible is to venture a little way past them into the impossible. 3. Any sufficiently advanced technology is indistinguishable from magic. - Arthur C. Clarke
Hi,
On 1 Aug 2019, at 02:27, Larry Brandt <lbrandt@cni.net> wrote:
Yes, I have fail2ban installed but the attack is focused on my ORPort 9001. Similarly, I have an external firewall but it permits 9001 port passage.
If you're trying to prevent too many connections, you can adjust the DoS torrc options: DoSConnectionEnabled 1 DoSConnectionMaxConcurrentCount 1 DoSConnectionDefenseType 2 If that works, try adjusting DoSConnectionMaxConcurrentCount a bit higher: 10 or 25 are good values. T -- teor ----------------------------------------------------------------------
On 1 Aug 2019, at 02:27, Larry Brandt <lbrandt@cni.net> wrote:
Yes, I have fail2ban installed but the attack is focused on my ORPort
Can we have your fail2ban scripts for the OR port? The jail and rules? Gerry -----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of teor Sent: 01 August 2019 00:28 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] DoS attack on Tor exit relay Hi, 9001. Similarly, I have an external firewall but it permits 9001 port passage. If you're trying to prevent too many connections, you can adjust the DoS torrc options: DoSConnectionEnabled 1 DoSConnectionMaxConcurrentCount 1 DoSConnectionDefenseType 2 If that works, try adjusting DoSConnectionMaxConcurrentCount a bit higher: 10 or 25 are good values. T -- teor ----------------------------------------------------------------------
Gerry, At this point I have no working scripts for Tor/fail2ban. Be happy to share if they ever materialize. Fail2ban is sorely lacking documentation--or at least I can't find detailed docs. I downloaded fail2ban on current debian and ubuntu VPS and got different version numbers--none were the current release. Stay tuned or give a hand. -potlatch Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, August 1, 2019 4:16 AM, <gerard@bulger.co.uk> wrote:
Can we have your fail2ban scripts for the OR port? The jail and rules?
Gerry
-----Original Message----- From: tor-relays tor-relays-bounces@lists.torproject.org On Behalf Of teor Sent: 01 August 2019 00:28 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] DoS attack on Tor exit relay
Hi,
On 1 Aug 2019, at 02:27, Larry Brandt lbrandt@cni.net wrote: Yes, I have fail2ban installed but the attack is focused on my ORPort
9001. Similarly, I have an external firewall but it permits 9001 port passage.
If you're trying to prevent too many connections, you can adjust the DoS torrc options: DoSConnectionEnabled 1 DoSConnectionMaxConcurrentCount 1 DoSConnectionDefenseType 2
If that works, try adjusting DoSConnectionMaxConcurrentCount a bit higher: 10 or 25 are good values.
T
-- teor
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thanks. I just could not see how Fail2ban would work on an ORport. What log would it look at? What criteria for the jail? The fai2ban on my non-tor VPS does not yet work with IPv6, which is partly the nature of IPV6 rather than a programming issue. I did not realise IPV6 was ignored until a weak email account was found. So I firewalled off most IPv6 ports instead. -----Original Message----- From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of potlatch Sent: 05 August 2019 00:04 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] DoS attack on Tor exit relay Gerry, At this point I have no working scripts for Tor/fail2ban. Be happy to share if they ever materialize. Fail2ban is sorely lacking documentation--or at least I can't find detailed docs. I downloaded fail2ban on current debian and ubuntu VPS and got different version numbers--none were the current release. Stay tuned or give a hand. -potlatch Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, August 1, 2019 4:16 AM, <gerard@bulger.co.uk> wrote:
Can we have your fail2ban scripts for the OR port? The jail and rules?
Gerry
-----Original Message----- From: tor-relays tor-relays-bounces@lists.torproject.org On Behalf Of teor Sent: 01 August 2019 00:28 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] DoS attack on Tor exit relay
Hi,
On 1 Aug 2019, at 02:27, Larry Brandt lbrandt@cni.net wrote: Yes, I have fail2ban installed but the attack is focused on my ORPort
9001. Similarly, I have an external firewall but it permits 9001 port passage.
If you're trying to prevent too many connections, you can adjust the DoS torrc options: DoSConnectionEnabled 1 DoSConnectionMaxConcurrentCount 1 DoSConnectionDefenseType 2
If that works, try adjusting DoSConnectionMaxConcurrentCount a bit higher: 10 or 25 are good values.
T
-- teor
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
you can try this https://www.configserver.com/cp/csf.html > Thanks. I just could not see how Fail2ban would work on an ORport. What log would it look at? What criteria for the jail? The fai2ban on my non-tor VPS does not yet work with IPv6, which is partly the nature of IPV6 rather than a programming issue. I did not realise IPV6 was ignored until a weak email account was found. So I firewalled off most IPv6 ports instead. > > -----Original Message----- > From: tor-relays <tor-relays-bounces@lists.torproject.org> On Behalf Of potlatch > Sent: 05 August 2019 00:04 > To: tor-relays@lists.torproject.org > Subject: Re: [tor-relays] DoS attack on Tor exit relay > > Gerry, > At this point I have no working scripts for Tor/fail2ban. Be happy to share if they ever materialize. Fail2ban is sorely lacking documentation--or at least I can't find detailed docs. I downloaded fail2ban on current debian and ubuntu VPS and got different version numbers--none were the current release. Stay tuned or give a hand. > -potlatch > > > Sent with ProtonMail Secure Email. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Thursday, August 1, 2019 4:16 AM, <gerard@bulger.co.uk> wrote: > >> Can we have your fail2ban scripts for the OR port? The jail and rules? >> >> Gerry >> >> -----Original Message----- >> From: tor-relays tor-relays-bounces@lists.torproject.org On Behalf Of teor >> Sent: 01 August 2019 00:28 >> To: tor-relays@lists.torproject.org >> Subject: Re: [tor-relays] DoS attack on Tor exit relay >> >> Hi, >> >>> On 1 Aug 2019, at 02:27, Larry Brandt lbrandt@cni.net wrote: >>> Yes, I have fail2ban installed but the attack is focused on my ORPort >> 9001. Similarly, I have an external firewall but it permits 9001 port >> passage. >> >> If you're trying to prevent too many connections, you can adjust the DoS >> torrc options: >> DoSConnectionEnabled 1 >> DoSConnectionMaxConcurrentCount 1 >> DoSConnectionDefenseType 2 >> >> If that works, try adjusting DoSConnectionMaxConcurrentCount a bit >> higher: 10 or 25 are good values. >> >> T >> >> -- >> teor >> >> >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 06.08.2019 12:57, gerard@bulger.co.uk wrote:
Thanks. I just could not see how Fail2ban would work on an ORport. What log would it look at? What criteria for the jail? The fai2ban on my non-tor VPS does not yet work with IPv6, which is partly the nature of IPV6 rather than a programming issue. I did not realise IPV6 was ignored until a weak email account was found. So I firewalled off most IPv6 ports instead.
fail2ban supports IPv6 since version 0.10 -- Ciao Marco!
participants (7)
-
David Poulsen -
gerard@bulger.co.uk -
Larry Brandt -
lists@for-privacy.net -
potlatch -
teor -
TorGate