On December 26, 2014 12:41:51 PM Christian Burkert post@cburkert.de wrote:
Hi,
I'm running a non-exit Tor node for a few months now on a virtual server hosted in a professional datacenter.
Thank you !
Yesterday, December 25th, the support wrote me, that my server is under a DDoS attack with 2GBit/s lasting over more than two hours. So, the hoster black holed my traffic to protect the other customers.
I've seen this behaviour from some ISP's before and it's rather sad. If something like this happens my ISP is taking care of it without disabling my systems. I'm just getting a note with all the technical information and that's it.
The hoster wanted to know which services I'm running and told me that if I continue running Tor and further attacks will happen, then I would have to bear the costs. Eventually, I took down the Tor node to avoid further confrontation.
That's interesting, they gave you some infos like the time and the amount but nothing else ? Seems to me that they're pretty clueless and are fishing in the dark. Another reason for their behaviour could be that they want to get rid of you / your Tor node. Threatening customers is really sad, sounds like they heard the word Tor from you and then concluded "oh, than he basically asked for the attack".
Now I seek for your interpretation of this event:
- Has there been more recent incidents against Tor nodes?
Nothing with that magnitude on my end for weeks.
- How can I investigate it?
You can ask your ISP for their logs regarding that attack. Do you have any logs on your system, maybe from a intrusion detection or anything else ?
- How should one react to a hoster? I mean they could have made up the
whole thing...
If you are already considering this than i would recommend changing to another ISP, sounds like there is already some distrust.
Looking forward to your comments Chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/
iQIcBAEBCgAGBQJUnUdDAAoJEHAzZ6ooPDSy0nMP/1lyHPPFBxpAOvEiWL+ijrvA SPViJvZH/cPUS/11M7qm+bsZa/fbiRk6kY8ADcY8abe1Z8lHzMYPGwZvKaIijiZG M8hjCHtMWLipO6iLmVfFskDtRn37Ga2ibEhGkVesDV53kPcotgg4i7tIqIuNb11X Gnkk+WpYwkrS9nPZjYNLmce093s4lux/N5GyRY/gQii+h9mfDJ++W+1ueNU94UQ0 bvK1wF7MdicWlu0kR49hCgFtDFh7uUjP87MPZmmQYHI82qWhTJxqOuuImrnJew2k pCFSzn03x/hXg1QFNPNLsqHU9OhUob3/z17Azcpbir15mY4/YE7Gq14/LBM+FKh0 LqGjzaVbQo0hs0kE2yFk5sEP0Dsv5aiOUItqFIMTG52FYZ6cUh/eTxMd6vblHwfU ujil0rFCRqtmbF6wIDBuXDxc0fmdaRMWTDfSlPxYGkfUaq1tSea1OAvjFpheOcNM wu9QiTSq9BTLY010iHSYQDknSr+gFkc/ooNLsPV1AAZFyMlG0epLww6tqR7C9hZq RyEX9piqGal7mU56gETxhDrD0Z/aKgXMbS+KvYfZhopGWEVg5vbWPGxAId53nhr6 hjvLyFmy68hBdbOB/pvp8qvw8veQR3niiHIxhxAl+BIQzXX45x0uVCPHFUpbbLp5 POIwpEJ46oaz7+cddAHf =TcPt -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Sebastian Urbach schreef op 26/12/14 om 14:05:
On December 26, 2014 12:41:51 PM Christian Burkert post@cburkert.de wrote:
Hi,
I'm running a non-exit Tor node for a few months now on a virtual server hosted in a professional datacenter.
Thank you !
Yesterday, December 25th, the support wrote me, that my server is under a DDoS attack with 2GBit/s lasting over more than two hours. So, the hoster black holed my traffic to protect the other customers.
I've seen this behaviour from some ISP's before and it's rather sad. If something like this happens my ISP is taking care of it without disabling my systems. I'm just getting a note with all the technical information and that's it.
The hoster wanted to know which services I'm running and told me that if I continue running Tor and further attacks will happen, then I would have to bear the costs. Eventually, I took down the Tor node to avoid further confrontation.
That's interesting, they gave you some infos like the time and the amount but nothing else ? Seems to me that they're pretty clueless and are fishing in the dark. Another reason for their behaviour could be that they want to get rid of you / your Tor node. Threatening customers is really sad, sounds like they heard the word Tor from you and then concluded "oh, than he basically asked for the attack".
Now I seek for your interpretation of this event:
- Has there been more recent incidents against Tor nodes?
Nothing with that magnitude on my end for weeks.
- How can I investigate it?
You can ask your ISP for their logs regarding that attack. Do you have any logs on your system, maybe from a intrusion detection or anything else ?
- How should one react to a hoster? I mean they could have made up the
whole thing...
If you are already considering this than i would recommend changing to another ISP, sounds like there is already some distrust.
Looking forward to your comments Chris
In the context of a shared virtual server (VPS), null-routing traffic seems like a good way to protect other customers on the same machine. It's common for VPS hosts to have a single or double 1Gbit/s link to each machine, and a 2Gbit/s DDoS attack would cause that to be completely utilized, disrupting service for other customers.
I haven't seen any significant attacks on my Tor nodes recently. There's the usual 1Gbit/s spike for a few minutes sometimes, but they never last long.
Tom
tor-relays@lists.torproject.org