Hello everyone,
I noticed something a little bit "odd" on one of my exit relays recently, and I just wanted to ask whether anybody might be able to account for what was actually happening, and whether it's likely to warrant any further investigation?
TLDR; I noticed a fairly significant spike - in excess of 30MB/s (yes, megabytes) - of outbound traffic compared to inbound.
http://s2.postimg.org/cvfzqvrsp/graph.png
It persisted steadily for just over an hour, until I noticed what was going on and restarted Tor (not the whole server, only Tor), at which point my traffic appeared to return to normal again.
I have this relay running a a dedicated machine, with multiple physical NICs, and the ONLY thing which should be touching this NIC is my Tor traffic.
Thoughts?
On 23 Dec 2015, at 19:32, David Tomic david@tomic.com.au wrote:
Hello everyone,
I noticed something a little bit "odd" on one of my exit relays recently, and I just wanted to ask whether anybody might be able to account for what was actually happening, and whether it's likely to warrant any further investigation?
TLDR; I noticed a fairly significant spike - in excess of 30MB/s (yes, megabytes) - of outbound traffic compared to inbound.
http://s2.postimg.org/cvfzqvrsp/graph.png http://s2.postimg.org/cvfzqvrsp/graph.png
It persisted steadily for just over an hour, until I noticed what was going on and restarted Tor (not the whole server, only Tor), at which point my traffic appeared to return to normal again.
I have this relay running a a dedicated machine, with multiple physical NICs, and the ONLY thing which should be touching this NIC is my Tor traffic.
Thoughts?
Exit relays can end up with large traffic disparities for two reasons: * small internet server requests can yield large internet server responses, or vice versa * Tor cells are 512 bytes, if a small request or small response is embedded in a cell, the overhead can be quite large
This could happen because someone is uploading or downloading a large file. But 30MB/s would probably require more than one client at the same time.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
Hi,
In fact, this is strange because Upload means that the server is receiving something to send, idem for Downloads : upload and download should be the same if the Tor Process is used as server only (relay or exit).
For a Tor process, the only normal way to do this, is to be using the socks port (client side) of the Tor Process ! At least, it's the only normal way I know.
Good luck for your investigations Julien ROBIN
----- Mail original ----- De: "Tim Wilson-Brown - teor" teor2345@gmail.com À: tor-relays@lists.torproject.org Envoyé: Mardi 29 Décembre 2015 01:48:02 Objet: Re: [tor-relays] Sustained large spike in outbound traffic - what might be going on?
On 23 Dec 2015, at 19:32, David Tomic < david@tomic.com.au > wrote:
Hello everyone,
I noticed something a little bit "odd" on one of my exit relays recently, and I just wanted to ask whether anybody might be able to account for what was actually happening, and whether it's likely to warrant any further investigation?
TLDR; I noticed a fairly significant spike - in excess of 30MB/s (yes, megabytes) - of outbound traffic compared to inbound.
http://s2.postimg.org/cvfzqvrsp/graph.png
It persisted steadily for just over an hour, until I noticed what was going on and restarted Tor (not the whole server, only Tor), at which point my traffic appeared to return to normal again.
I have this relay running a a dedicated machine, with multiple physical NICs, and the ONLY thing which should be touching this NIC is my Tor traffic.
Thoughts?
Exit relays can end up with large traffic disparities for two reasons: * small internet server requests can yield large internet server responses, or vice versa * Tor cells are 512 bytes, if a small request or small response is embedded in a cell, the overhead can be quite large
This could happen because someone is uploading or downloading a large file. But 30MB/s would probably require more than one client at the same time.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 29 Dec 2015, at 22:44, Julien ROBIN julien.robin28@free.fr wrote:
Hi,
In fact, this is strange because Upload means that the server is receiving something to send, idem for Downloads : upload and download should be the same if the Tor Process is used as server only (relay or exit).
Yes, you're right, my original email was mistaken - any uploads or downloads go in via tor and out to the Internet (or vice versa).
The only things I can think of that could cause an increase in outbound traffic are: * cell padding for many small internet server responses (up to 512x for a 1-byte response), * becoming a hidden service directory for a popular hidden service, * having a lot of clients download directory documents at once (this shouldn't happen, client directory downloads are randomised), * having clients make lots of DNS requests via your exit (again, this shouldn't happen, DNS requests are limited size).
I don't know of any other attack or request that amplifies outbound traffic via tor or otherwise, but there may be some. Perhaps you could see what kind of traffic you are sending if it happens again. (It's hard to help without more information.)
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
Thanks guys. I have been keeping a close(r) eye on this server since it originally happened, but so far it seems to be behaving itself again. I'll be ready to capture some more detailed data if it does decide to happen again though.
On 29 December 2015 at 22:53, Tim Wilson-Brown - teor teor2345@gmail.com wrote:
On 29 Dec 2015, at 22:44, Julien ROBIN julien.robin28@free.fr wrote:
Hi,
In fact, this is strange because Upload means that the server is receiving something to send, idem for Downloads : upload and download should be the same if the Tor Process is used as server only (relay or exit).
Yes, you're right, my original email was mistaken - any uploads or downloads go in via tor and out to the Internet (or vice versa).
The only things I can think of that could cause an increase in outbound traffic are:
- cell padding for many small internet server responses (up to 512x for a
1-byte response),
- becoming a hidden service directory for a popular hidden service,
- having a lot of clients download directory documents at once (this
shouldn't happen, client directory downloads are randomised),
- having clients make lots of DNS requests via your exit (again, this
shouldn't happen, DNS requests are limited size).
I don't know of any other attack or request that amplifies outbound traffic via tor or otherwise, but there may be some. Perhaps you could see what kind of traffic you are sending if it happens again. (It's hard to help without more information.)
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 12/29/2015 12:53 PM, Tim Wilson-Brown - teor wrote:
I don't know of any other attack or request that amplifies outbound traffic via tor or otherwise, but there may be some.
I did experienced too a gap of incoming versus outgoing of about 30% and more few times in the past at an exit relay, having an advertised bandwidth of 8 MB/sec. That gap persists over a day or so and then vanished.
- -- Toralf, pgp: C4EACDDE 0076E94E
On 30 Dec 2015, at 08:19, Toralf Förster toralf.foerster@gmx.de wrote:
Signed PGP part On 12/29/2015 12:53 PM, Tim Wilson-Brown - teor wrote:
I don't know of any other attack or request that amplifies outbound traffic via tor or otherwise, but there may be some.
I did experienced too a gap of incoming versus outgoing of about 30% and more few times in the past at an exit relay, having an advertised bandwidth of 8 MB/sec. That gap persists over a day or so and then vanished.
A day is the HSDir rotation period, perhaps there is a popular hidden service which serves 8-30MB/s worth of descriptors.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
tor-relays@lists.torproject.org
-
David Tomic -
Julien ROBIN -
Tim Wilson-Brown - teor -
Toralf Förster