
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi *, I'm running a non-exit Tor node for a few months now on a virtual server hosted in a professional datacenter. That's the node: https://globe.torproject.org/#/relay/4C246EA9C950B872FD77F761CEAAB41D93D9764... Yesterday, December 25th, the support wrote me, that my server is under a DDoS attack with 2GBit/s lasting over more than two hours. So, the hoster black holed my traffic to protect the other customers. The hoster wanted to know which services I'm running and told me that if I continue running Tor and further attacks will happen, then I would have to bear the costs. Eventually, I took down the Tor node to avoid further confrontation. Now I seek for your interpretation of this event: - - Has there been more recent incidents against Tor nodes? - - How can I investigate it? - - How should one react to a hoster? I mean they could have made up the whole thing... Looking forward to your comments Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCgAGBQJUnUdDAAoJEHAzZ6ooPDSy0nMP/1lyHPPFBxpAOvEiWL+ijrvA SPViJvZH/cPUS/11M7qm+bsZa/fbiRk6kY8ADcY8abe1Z8lHzMYPGwZvKaIijiZG M8hjCHtMWLipO6iLmVfFskDtRn37Ga2ibEhGkVesDV53kPcotgg4i7tIqIuNb11X Gnkk+WpYwkrS9nPZjYNLmce093s4lux/N5GyRY/gQii+h9mfDJ++W+1ueNU94UQ0 bvK1wF7MdicWlu0kR49hCgFtDFh7uUjP87MPZmmQYHI82qWhTJxqOuuImrnJew2k pCFSzn03x/hXg1QFNPNLsqHU9OhUob3/z17Azcpbir15mY4/YE7Gq14/LBM+FKh0 LqGjzaVbQo0hs0kE2yFk5sEP0Dsv5aiOUItqFIMTG52FYZ6cUh/eTxMd6vblHwfU ujil0rFCRqtmbF6wIDBuXDxc0fmdaRMWTDfSlPxYGkfUaq1tSea1OAvjFpheOcNM wu9QiTSq9BTLY010iHSYQDknSr+gFkc/ooNLsPV1AAZFyMlG0epLww6tqR7C9hZq RyEX9piqGal7mU56gETxhDrD0Z/aKgXMbS+KvYfZhopGWEVg5vbWPGxAId53nhr6 hjvLyFmy68hBdbOB/pvp8qvw8veQR3niiHIxhxAl+BIQzXX45x0uVCPHFUpbbLp5 POIwpEJ46oaz7+cddAHf =TcPt -----END PGP SIGNATURE-----

Hi, My advice is to try to ask them is they are OK to let you a second chance to let your relay running. Tell them that if such a big attack happen again so you shut it down and you don't disturb them anymore with it. Also, a "Good Point" to get if it's not already done, set your reverse DNS to something that hackers will instantly recognize (torproxy.something.readme ...), it reduces the risk of DDoS problems (those who drives DDoS attacks often know what is Tor, may be some of them are using it everyday). Tell you ISP if you do so, in order to say them that you improved somethong to reduce the risk for it to happen again. On one of my relays, enabling that after month without, made a very very big difference (several DDoS per month -> nothing now). If your relay have been running for several month now without any problem, and if most of the DDoS attacks should be smaller that the one you got, may be they can be OK for a second chance! Good luck ;) ----- Mail original ----- De: "Christian Burkert" <post@cburkert.de> À: tor-relays@lists.torproject.org Envoyé: Vendredi 26 Décembre 2014 12:32:19 Objet: [tor-relays] Possible DDoS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi *, I'm running a non-exit Tor node for a few months now on a virtual server hosted in a professional datacenter. That's the node: https://globe.torproject.org/#/relay/4C246EA9C950B872FD77F761CEAAB41D93D9764... Yesterday, December 25th, the support wrote me, that my server is under a DDoS attack with 2GBit/s lasting over more than two hours. So, the hoster black holed my traffic to protect the other customers. The hoster wanted to know which services I'm running and told me that if I continue running Tor and further attacks will happen, then I would have to bear the costs. Eventually, I took down the Tor node to avoid further confrontation. Now I seek for your interpretation of this event: - - Has there been more recent incidents against Tor nodes? - - How can I investigate it? - - How should one react to a hoster? I mean they could have made up the whole thing... Looking forward to your comments Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCgAGBQJUnUdDAAoJEHAzZ6ooPDSy0nMP/1lyHPPFBxpAOvEiWL+ijrvA SPViJvZH/cPUS/11M7qm+bsZa/fbiRk6kY8ADcY8abe1Z8lHzMYPGwZvKaIijiZG M8hjCHtMWLipO6iLmVfFskDtRn37Ga2ibEhGkVesDV53kPcotgg4i7tIqIuNb11X Gnkk+WpYwkrS9nPZjYNLmce093s4lux/N5GyRY/gQii+h9mfDJ++W+1ueNU94UQ0 bvK1wF7MdicWlu0kR49hCgFtDFh7uUjP87MPZmmQYHI82qWhTJxqOuuImrnJew2k pCFSzn03x/hXg1QFNPNLsqHU9OhUob3/z17Azcpbir15mY4/YE7Gq14/LBM+FKh0 LqGjzaVbQo0hs0kE2yFk5sEP0Dsv5aiOUItqFIMTG52FYZ6cUh/eTxMd6vblHwfU ujil0rFCRqtmbF6wIDBuXDxc0fmdaRMWTDfSlPxYGkfUaq1tSea1OAvjFpheOcNM wu9QiTSq9BTLY010iHSYQDknSr+gFkc/ooNLsPV1AAZFyMlG0epLww6tqR7C9hZq RyEX9piqGal7mU56gETxhDrD0Z/aKgXMbS+KvYfZhopGWEVg5vbWPGxAId53nhr6 hjvLyFmy68hBdbOB/pvp8qvw8veQR3niiHIxhxAl+BIQzXX45x0uVCPHFUpbbLp5 POIwpEJ46oaz7+cddAHf =TcPt -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Firstly, thanks for your advise. Since I'm personally fed up with this provider, I'll move my Tor node anyway. This last DDoS handling was just the last straw. But before I discourage others from choosing this hosting provider, I wanted to check the facts behind this DDoS attack, but within by own log files, I can see nothing helpful. I'm going to ask the provider for further information. Putting a Tor hint into the reverse DNS entry sounds like a great idea. I wouldn't have thought that this actually stops people from attacking your server. Thanks! Furthermore, I wondered if the attackers were attracted to my system because of the Tor service, or were just randomly picking targets. But from your previous descriptions, I rather deduce that it is more like the latter, rather random attacks, right? Anyway, I'll keep you informed about my investigations of the attack if you like. Regards, Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBCgAGBQJUnXU0AAoJEHAzZ6ooPDSyGDYQAJ/6Fp7EGlLdZ5yCCgeyNUwS Ku1rKmw5MYzeN3L7HMzLXYSFvKTzk0jtcz5oLwbpWYyHO3SumSI+N3prmsZPaoBy Txo/zn4WllO1uFaAVsoxQOfpbM+J4x0qogX77RZYLyvrGPcewt6hm+EuyxkatjBd rLSzlv2VbMntjUtkv5nM3zw/RIPyjNv5zsp9aBgSZLKRP+cyhONkuLqgmfaQ2tHG ICzu8Rjwr5rpwNxXpfmJWwRasJg+HCu2u9awauOggQ8BIZ+8qkH1CuprXNgfulWt xR82G+fmrywY1ODhB/go3j2Nx25gagMZLWbpnTSHYGcY9pL9TC7drkm0fw5ZB2VJ 92dlyPSj3bvdhSRVJBJiCQkhmtmqq4iLeZS2qoJLDcHAt70oePRMq4wJtVu7mugI 8e3uYL9f3SBTs3MsmSK/drGTEqNnhCl0ekLLPg4weRoEDSBkwsAmSVNwAqEhvs+P 6ZHWOOMVhZwPPJtQxupgIbDonBOuHg5BSrw5Csnqv+gwS2QNwOykdQV5ZKPxtXdS rkv2q8TFpC7kBhnkljhdokXUDn19GmfM3OvxSRZbJe8+G/NNxKf50NeAQPuosnsr AQYNClByNnfqXFOqFs2IIdUVHAaLuT5d4oZuA8YkTpJjZ6YMimjz2nlJO/QGxG9m VKGNZ/BnQ/OYug3ejpwB =ZbAl -----END PGP SIGNATURE-----

On Friday 26 December 2014 15:48:20 Christian Burkert wrote:
Furthermore, I wondered if the attackers were attracted to my system because of the Tor service, or were just randomly picking targets. But from your previous descriptions, I rather deduce that it is more like the latter, rather random attacks, right? DDOS happen from time to time. During 4 years operating high capacity relays I saw no DDOS lasting longer that a couple of minutes. Probably what you experience is just some random attack.
Regards, Torland

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey, My guard node was DDoS'd for about 15 minutes on December 17. My inner paranoid thought this was related to the ongoing crackdown on hidden services (from the authorities, or whoever else) but now I'm not so sure. Regards, - -- Jean-Philippe Décarie-Mathieu jp@jpdm.org - PGP: 0x2D61F80F http://www.jpdm.org/ Le 2014-12-26 06:32, Christian Burkert a écrit :
Hi *,
I'm running a non-exit Tor node for a few months now on a virtual server hosted in a professional datacenter.
That's the node: https://globe.torproject.org/#/relay/4C246EA9C950B872FD77F761CEAAB41D93D9764...
Yesterday, December 25th, the support wrote me, that my server is under a DDoS attack with 2GBit/s lasting over more than two hours. So, the hoster black holed my traffic to protect the other customers.
The hoster wanted to know which services I'm running and told me that if I continue running Tor and further attacks will happen, then I would have to bear the costs. Eventually, I took down the Tor node to avoid further confrontation.
Now I seek for your interpretation of this event: - Has there been more recent incidents against Tor nodes? - How can I investigate it? - How should one react to a hoster? I mean they could have made up the whole thing...
Looking forward to your comments Chris _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJUnbHlAAoJEDo94uctYfgPFgYQAKT8AlfjheKGLnPBhiinQT7q RKkfJHKgF1BlVHyvrAG+VVs3YqkeD2pdwpF607NzU3eFpoXM/JjIh6BpvXHc1Z3R 9oIKo0sQh6SSC4r8MyPiB2ybXMx2ijcjmm2l9hpcfP9ogVWqusr9FwurEzRVmcBH IAAvj9QMV5cSN34WNqwoizE+ur3eTGxr/RCN+C/UTqALtRMPyX2u2k1kY0pBv/Mb zDQLSL5bpYvFXgY2lN1/EsynVahpMwb1XkbYOToyNPYtniA0p8BJu14GZIdxwnKD RzZyhsfg4HhYjfQXfmEVGJRZeaWSM91oWIau/q05KNSGNbfnVFevHzKZ199eAJL0 5+jAk4YQK2VGz+p7tH0nSbMQERP1TRo8NQuxKZdtJVMLuztJ50kLptOs/Z5FnRHz qTOPnLkmJtNAn7Uprk0coDpVTXgoLbgvO1Oh8osGOyziULzbLTQGvrG4iJfwTtnq 9/IvL2Y57mqcl5wuGNuCCXmZzZVM2EIYCv2lWxgOI6nB0AGXUgxgOnnf9ggSDtwX SZzWF2RntshoPf1lWzLvSOiJso/c0DovPkA3gpvHY0sjlwE2S0/549Qk18B1u9mp vWpeaEX3mdlQqjDA15GJ5/0Gx5VnDsWGt37IfMRuaQ78QH5SfyHHmzerwRw8L0Hs CJVJUD5Y95JMSvcNmgTz =FMJF -----END PGP SIGNATURE-----
participants (4)
-
Christian Burkert
-
Jean-Philippe Décarie-Mathieu
-
Julien ROBIN
-
tor-admin@torland.me