relay got suspended
hi y'all, one of my relays got suspended today, because of heavy ddos traffic. *Hello,* *Today your VPS IP address was heavily attacked by a large DDoS, so we were forced to suspend the VPS and null the IP for the time being, since it had overloaded our upstream provider. We are keeping an eye on the situation, however in the meantime you will want to get your site behind a DDoS filter such as CloudFlare.* *Let us know if you have any further questions.* *Thank you!* *Adam* has any of you see this behauvior? I think there is no use in putting a relay behind a ddos filter, or is there? In that case I'll just spin up another one. relay in question is this one, almost 7 months with no interuption what so ever, no indication in the (munin) monitoring for high or higher traffic... because the vps is suspended I don't have the latest syslog so I don't know for sure whether anything has shown up there, but I am quite sure that yesterday there were no abnormal logging entries on this server. https://metrics.torproject.org/rs.html#details/CDE4149F0DC65A7BE1AE440340BE1... rgds,. Paul
Dear Adam & Paul, There have been a quite unusual traffic here in Denmark too, I am situated on the island of Als running on STOFA A/S and TDC Yousee A/S networks, which are being redirecting as if the relays were under DDoS attack, by taking over the link and be a man in the middle? Relays, bridges and exits have been not trustable and many certificates are wrong, so do a double, trible check even if you are connected to tor networks! Regards David Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, October 25, 2020 8:15 PM, Paul Geurts <paulus@pollekeg.com> wrote:
hi y'all,
one of my relays got suspended today, because of heavy ddos traffic.
Hello,
Today your VPS IP address was heavily attacked by a large DDoS, so we were forced to suspend the VPS and null the IP for the time being, since it had overloaded our upstream provider. We are keeping an eye on the situation, however in the meantime you will want to get your site behind a DDoS filter such as CloudFlare.
Let us know if you have any further questions.
Thank you!
Adam
has any of you see this behauvior? I think there is no use in putting a relay behind a ddos filter, or is there? In that case I'll just spin up another one.
relay in question is this one, almost 7 months with no interuption what so ever, no indication in the (munin) monitoring for high or higher traffic... because the vps is suspended I don't have the latest syslog so I don't know for sure whether anything has shown up there, but I am quite sure that yesterday there were no abnormal logging entries on this server.
https://metrics.torproject.org/rs.html#details/CDE4149F0DC65A7BE1AE440340BE1...
rgds,. Paul
Hello Paul, On 10/25/20 9:15 PM, Paul Geurts wrote:
has any of you see this behauvior? I think there is no use in putting a
Right, there is no point in doing that. Usually such DDoS last a few hours max.
relay behind a ddos filter, or is there? In that case I'll just spin up another one.
Not necessary in this case, just ask them when they remove the Null route and try if the relay is reachable again. If it happens frequently then you should revisit this problem.
relay in question is this one, almost 7 months with no interuption what so ever, no indication in the (munin) monitoring for high or higher traffic... because the vps is suspended I don't have the latest syslog so I don't know for sure whether anything has shown up there, but I am quite sure that yesterday there were no abnormal logging entries on this server.
For the next time you can try to setup SSH as a hidden service, then you can probably still connect to the relay by SSH via Tor, as they usually don't suspend the VPS but just don't route the incoming traffic. Outgoing traffic usually works, so the .onion SSH should work. Regards yl
Paul Geurts <paulus@pollekeg.com> wrote:
*Today your VPS IP address was heavily attacked by a large DDoS, so we were forced to suspend the VPS and null the IP for the time being, since it had overloaded our upstream provider. We are keeping an eye on the situation, however in the meantime you will want to get your site behind a DDoS filter such as CloudFlare.*
Just because they are suggesting you to rush to centralization and Cloudflare is already enough reasons to flee them. Also, it is legitimate that they block traffic to that IP for the time of the attack but suspending the whole service permanently is irresponsible. The attacker must be very satisfied. Based on the relay's page, it looks like it was IPv6 capable which means that they could have blocked the v4 traffic while keeping your VM up and reachable in v6...
participants (4)
-
David Poulsen -
Paul Geurts -
Pavel Polyakov -
ylms