Recently I noticed excessive DirPort requests to my relay, where DirPort bandwidth reached 15% of ORPort bandwidth. Normal DirPort load is around 2%. https://lists.torproject.org/pipermail/tor-relays/2018-May/015253.html Just looked over a sample of FallBackDir relays in Relay Search and it appears this excess-load abuse is directed at them in particular. Some fall-back directories show more than a month of excess request traffic, presumably on the DirPort. Logs here indicate six weeks of abuse escalating in increments. Possibly this foreshadows a major increase in an effort to impair FallBackDir relay functionality. Either an iptables connection-rate limit or disabling DirPort resolves the problem.
Just looked over a sample of FallBackDir relays in Relay Search and it appears this excess-load abuse is directed at them in particular. Some fall-back directories show more than a month of excess request traffic, presumably on the DirPort. Logs here indicate six weeks of abuse escalating in increments.
How can I find this information on my relay? (855BC2DABE24C861CD887DB9B2E950424B49FC34) The only weird stuff I've noticed is that memory usage have doubled.
From 1.5GB to 3GB. Bandwidth is pegged at times, but not excessively so.
On 22 May 2018, at 04:29, Logforme <m7527@abc.se> wrote:
Just looked over a sample of FallBackDir relays in Relay Search and it appears this excess-load abuse is directed at them in particular. Some fall-back directories show more than a month of excess request traffic, presumably on the DirPort.
Have you checked on a relay? If it's from recent clients, it will be on the ORPort. If it's from relays or descriptor parsing libraries like stem, it will probably be on the DirPort.
Logs here indicate six weeks of abuse escalating in increments. How can I find this information on my relay? (855BC2DABE24C861CD887DB9B2E950424B49FC34)
You can look at your relay's bandwidth graphs on relay search.
The only weird stuff I've noticed is that memory usage have doubled. From 1.5GB to 3GB. Bandwidth is pegged at times, but not excessively so.
Then it might be harmless. T
At 18:29 5/21/2018 +0000, Logforme <m7527@abc.se> wrote:
How can I find this information on my relay? (855BC2DABE24C861CD887DB9B2E950424B49FC34)
Is visible here https://metrics.torproject.org/rs.html#details/855BC2DABE24C861CD887DB9B2E95... Click on the Bandwidth History "3-Month" tab. Your relays shows indications of excess load. You can verify this on the local system as follows:
For those with DirPort configured, one can check for the problem by looking at the 'state' file with the command
egrep '^BWHistory.*WriteValues' state | tr ',' '\n'
and calculating the percent BWHistoryDirWriteValues is relative to BWHistoryWriteValues for the same samples. Should be under 5%, more like 1-3%. If 15% the attacker is harassing your relay.
The above was written for lower-bandwidth relays of around 10MB/sec. Faster relays show a smaller increase, but if the absolute traffic level is on the order of 60MB or more attack is likely. A more reasonable DirPort traffic level is around 10M.
participants (3)
-
Logforme -
starlight.2017q4@binnacle.cx -
teor