Sustained large spike in outbound traffic - what might be going on?
Hello everyone, I noticed something a little bit "odd" on one of my exit relays recently, and I just wanted to ask whether anybody might be able to account for what was actually happening, and whether it's likely to warrant any further investigation? TLDR; I noticed a fairly significant spike - in excess of 30MB/s (yes, megabytes) - of outbound traffic compared to inbound. http://s2.postimg.org/cvfzqvrsp/graph.png It persisted steadily for just over an hour, until I noticed what was going on and restarted Tor (not the whole server, only Tor), at which point my traffic appeared to return to normal again. I have this relay running a a dedicated machine, with multiple physical NICs, and the ONLY thing which should be touching this NIC is my Tor traffic. Thoughts?
On 23 Dec 2015, at 19:32, David Tomic <david@tomic.com.au> wrote:
Hello everyone,
I noticed something a little bit "odd" on one of my exit relays recently, and I just wanted to ask whether anybody might be able to account for what was actually happening, and whether it's likely to warrant any further investigation?
TLDR; I noticed a fairly significant spike - in excess of 30MB/s (yes, megabytes) - of outbound traffic compared to inbound.
http://s2.postimg.org/cvfzqvrsp/graph.png <http://s2.postimg.org/cvfzqvrsp/graph.png>
It persisted steadily for just over an hour, until I noticed what was going on and restarted Tor (not the whole server, only Tor), at which point my traffic appeared to return to normal again.
I have this relay running a a dedicated machine, with multiple physical NICs, and the ONLY thing which should be touching this NIC is my Tor traffic.
Thoughts?
Exit relays can end up with large traffic disparities for two reasons: * small internet server requests can yield large internet server responses, or vice versa * Tor cells are 512 bytes, if a small request or small response is embedded in a cell, the overhead can be quite large This could happen because someone is uploading or downloading a large file. But 30MB/s would probably require more than one client at the same time. Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP 968F094B teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
Hi, In fact, this is strange because Upload means that the server is receiving something to send, idem for Downloads : upload and download should be the same if the Tor Process is used as server only (relay or exit). For a Tor process, the only normal way to do this, is to be using the socks port (client side) of the Tor Process ! At least, it's the only normal way I know. Good luck for your investigations Julien ROBIN ----- Mail original ----- De: "Tim Wilson-Brown - teor" <teor2345@gmail.com> À: tor-relays@lists.torproject.org Envoyé: Mardi 29 Décembre 2015 01:48:02 Objet: Re: [tor-relays] Sustained large spike in outbound traffic - what might be going on? On 23 Dec 2015, at 19:32, David Tomic < david@tomic.com.au > wrote: Hello everyone, I noticed something a little bit "odd" on one of my exit relays recently, and I just wanted to ask whether anybody might be able to account for what was actually happening, and whether it's likely to warrant any further investigation? TLDR; I noticed a fairly significant spike - in excess of 30MB/s (yes, megabytes) - of outbound traffic compared to inbound. http://s2.postimg.org/cvfzqvrsp/graph.png It persisted steadily for just over an hour, until I noticed what was going on and restarted Tor (not the whole server, only Tor), at which point my traffic appeared to return to normal again. I have this relay running a a dedicated machine, with multiple physical NICs, and the ONLY thing which should be touching this NIC is my Tor traffic. Thoughts? Exit relays can end up with large traffic disparities for two reasons: * small internet server requests can yield large internet server responses, or vice versa * Tor cells are 512 bytes, if a small request or small response is embedded in a cell, the overhead can be quite large This could happen because someone is uploading or downloading a large file. But 30MB/s would probably require more than one client at the same time. Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP 968F094B teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 29 Dec 2015, at 22:44, Julien ROBIN <julien.robin28@free.fr> wrote:
Hi,
In fact, this is strange because Upload means that the server is receiving something to send, idem for Downloads : upload and download should be the same if the Tor Process is used as server only (relay or exit).
Yes, you're right, my original email was mistaken - any uploads or downloads go in via tor and out to the Internet (or vice versa). The only things I can think of that could cause an increase in outbound traffic are: * cell padding for many small internet server responses (up to 512x for a 1-byte response), * becoming a hidden service directory for a popular hidden service, * having a lot of clients download directory documents at once (this shouldn't happen, client directory downloads are randomised), * having clients make lots of DNS requests via your exit (again, this shouldn't happen, DNS requests are limited size). I don't know of any other attack or request that amplifies outbound traffic via tor or otherwise, but there may be some. Perhaps you could see what kind of traffic you are sending if it happens again. (It's hard to help without more information.) Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP 968F094B teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
Thanks guys. I have been keeping a close(r) eye on this server since it originally happened, but so far it seems to be behaving itself again. I'll be ready to capture some more detailed data if it does decide to happen again though. On 29 December 2015 at 22:53, Tim Wilson-Brown - teor <teor2345@gmail.com> wrote:
On 29 Dec 2015, at 22:44, Julien ROBIN <julien.robin28@free.fr> wrote:
Hi,
In fact, this is strange because Upload means that the server is receiving something to send, idem for Downloads : upload and download should be the same if the Tor Process is used as server only (relay or exit).
Yes, you're right, my original email was mistaken - any uploads or downloads go in via tor and out to the Internet (or vice versa).
The only things I can think of that could cause an increase in outbound traffic are: * cell padding for many small internet server responses (up to 512x for a 1-byte response), * becoming a hidden service directory for a popular hidden service, * having a lot of clients download directory documents at once (this shouldn't happen, client directory downloads are randomised), * having clients make lots of DNS requests via your exit (again, this shouldn't happen, DNS requests are limited size).
I don't know of any other attack or request that amplifies outbound traffic via tor or otherwise, but there may be some. Perhaps you could see what kind of traffic you are sending if it happens again. (It's hard to help without more information.)
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/29/2015 12:53 PM, Tim Wilson-Brown - teor wrote:
I don't know of any other attack or request that amplifies outbound traffic via tor or otherwise, but there may be some.
I did experienced too a gap of incoming versus outgoing of about 30% and more few times in the past at an exit relay, having an advertised bandwidth of 8 MB/sec. That gap persists over a day or so and then vanished. - -- Toralf, pgp: C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlaC+M0ACgkQxOrN3gB26U4nNgD+PXoVmfHEmhVAAaahMjfkjVJJ EqjsyKMD9Op/JX+e18oBAICaUsDxdgKxRkEbzHkAW3De1e+6UH9fOvWwsu9CBVFb =ZQ7I -----END PGP SIGNATURE-----
On 30 Dec 2015, at 08:19, Toralf Förster <toralf.foerster@gmx.de> wrote:
Signed PGP part On 12/29/2015 12:53 PM, Tim Wilson-Brown - teor wrote:
I don't know of any other attack or request that amplifies outbound traffic via tor or otherwise, but there may be some.
I did experienced too a gap of incoming versus outgoing of about 30% and more few times in the past at an exit relay, having an advertised bandwidth of 8 MB/sec. That gap persists over a day or so and then vanished.
A day is the HSDir rotation period, perhaps there is a popular hidden service which serves 8-30MB/s worth of descriptors. Tim Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP 968F094B teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F
participants (4)
-
David Tomic -
Julien ROBIN -
Tim Wilson-Brown - teor -
Toralf Förster