Out-of-Memory-Attack & DoS from Tor-Client
Hi there, i just want to report two partially successfull DoS Attacks on my Relay: First attack: Occured yesterday. The tor process showed massive traffic, much more my upload ( 45 Mbits) could handle. I don't know how in detail this worked, but I had receiving traffic at about 40Mbits and the relay tried to send about 100Mbits towards WAN. Because I didn't know if this was harmful traffic for the tor network, I finally pulled the plug and obtained a new IP after about 4 hours into the attack. I had the feeling that a short time, there was still unusual sending/recieving ratio, but all related to tor.exe and it stabilized soon after. My Guess ist hat a malformed packet was sent by tor, resulting in uncontrolled, unknown traffic to the WAN-Side. The Realy had 3 DDoS Circuits killed, rejected circuits and introduce 2 at unnormal high rate, also like 117 marked addresses. It sent about 250GB more then it recieved. The attack is also clearly visible in Tor Metrics, a massive spike in written Bytes can be seen. Fingerprint: 8AFE4E6F05234B0184327C052B09F10191EAFAF3 Second Attack (today): Today at about 2 p.m., the memory of the relay spiked to maximum (8GB) and additionally 22GB of virtual memory was used. This caused the process to die, with an out-of-memory Error. This also must came from a malformed packet in tor. Is there any known method to circumvent both of these Issues? In the first event, i don't know if the error could have cleared self after some more hours. Regarding the memory issue, i think this must be resolved in the tor software itself, allthough I thought about adding 64GB of RAM and 256GB Page-File, just to see if it makes any difference in case of attacks. But I don't think so. Best regards, Joker
Try this: https://github.com/Enkidu-6/tor-ddos It should greatly reduce if not eliminate it. Cheers. On 12/2/2025 1:13 PM, ProSecureRelays via tor-relays wrote:
Hi there,
i just want to report two partially successfull DoS Attacks on my Relay:
*_First attack:_*
Occured yesterday. The tor process showed massive traffic, much more my upload ( 45 Mbits) could handle.
I don’t know how in detail this worked, but I had receiving traffic at about 40Mbits and the relay tried to send about 100Mbits towards WAN.
Because I didn’t know if this was harmful traffic for the tor network, I finally pulled the plug and obtained a new IP after about 4 hours into the attack.
I had the feeling that a short time, there was still unusual sending/recieving ratio, but all related to tor.exe and it stabilized soon after.
My Guess ist hat a malformed packet was sent by tor, resulting in uncontrolled, unknown traffic to the WAN-Side.
The Realy had 3 DDoS Circuits killed, rejected circuits and introduce 2 at unnormal high rate, also like 117 marked addresses. It sent about 250GB more then it recieved.
The attack is also clearly visible in Tor Metrics, a massive spike in written Bytes can be seen.
Fingerprint: 8AFE4E6F05234B0184327C052B09F10191EAFAF3
*_Second Attack (today):_*
Today at about 2 p.m., the memory of the relay spiked to maximum (8GB) and additionally 22GB of virtual memory was used.
This caused the process to die, with an out-of-memory Error.
This also must came from a malformed packet in tor.
Is there any known method to circumvent both of these Issues?
In the first event, i don’t know if the error could have cleared self after some more hours.
Regarding the memory issue, i think this must be resolved in the tor software itself, allthough I thought about adding 64GB of RAM and 256GB Page-File, just to see if it makes any difference in case of attacks.
But I don’t think so.
Best regards,
Joker
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
Chris Enkidu-6 wrote:
Try this:
https://github.com/Enkidu-6/tor-ddos
It should greatly reduce if not eliminate it.
What does that help on Windows? You overlooked that he wrote: "but all related to tor.exe and it stabilized soon after." An .EXE indicates Windows to me. -- --gv
Am 03.12.2025 um 13:16:52 Uhr schrieb Gisle Vanem via tor-relays:
Chris Enkidu-6 wrote:
Try this:
https://github.com/Enkidu-6/tor-ddos
It should greatly reduce if not eliminate it.
What does that help on Windows? You overlooked that he wrote: "but all related to tor.exe and it stabilized soon after."
An .EXE indicates Windows to me.
His relay seems to be running on Windows. Although, it should be possible to write a script that implements firewall rulesets in Windows too, maybe Powershell supports that. -- Gruß Marco Send unsolicited bulk mail to 1764764212muell@cartoonies.org
My apologies. It seems that I missed that part. On 12/3/2025 8:56 AM, Marco Moock via tor-relays wrote:
Am 03.12.2025 um 13:16:52 Uhr schrieb Gisle Vanem via tor-relays:
Chris Enkidu-6 wrote:
Try this:
https://github.com/Enkidu-6/tor-ddos
It should greatly reduce if not eliminate it. What does that help on Windows? You overlooked that he wrote: "but all related to tor.exe and it stabilized soon after."
An .EXE indicates Windows to me. His relay seems to be running on Windows.
Although, it should be possible to write a script that implements firewall rulesets in Windows too, maybe Powershell supports that.
_______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello.
Try this: https://github.com/Enkidu-6/tor-ddos It should greatly reduce if not eliminate it.
I've been thinking of setting that up on my relays as well. Do you have any version for nftables? All of my relays have been migrated to nft from iptables, and my knowledge of nft syntax is rudimentary. Also, how do you generate files like 2-or.txt and snowflake.txt? I'd rather pull directly from Tor's site over an API than from GitHub. Regards, forest -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvLrj6cuOL+I/KdxYBh18rEKN1gsFAmkwtT0ACgkQBh18rEKN 1gvxgA//R4bsiqksfcGp9txPhVQigbcQ0S52IubGbk38OJojPQVGLni+ByZ55upn Jb7txRUDIDns135ddgSIijn/p1uJIZefY94kt5tqpPBXUX+msU2zYUXMVpH1fIFd d6gA0TD/aNuc8TfP45Rt6kWertCIWW8LfKB95BV/2PRBzxLbWScIGFvtLRlG20fp m/2RdHi0Xc4MV9SpH5Re6SK3fYyOYADiRvzpVF1ROsCLy0WB7BmHlvsIDqqOv7aU vl42qQOnfchSqm11iTmkapEv2fM2PqR43wXruNSM5Km2og9Y8i73AoBEtc9e4cOY mVh7lkJFL96GNnDL9NsuFdVsRmTN4KxSNrWgOhCCN6KF6vnqUt8RlWXVcxm9TwWc yBIdFLVwFn42BYjndLFwcgU44SMtt0e2tTMZ0G2j51/Z86w33d2cs/7ENSazzsgk 5GFTdyYHrTXPc9vHpX3E7ZimrhH6Y+n4uNYpH+l4/Wv51C3ZKFasuDTkJNrMXBaA +kYnvE7oKvndvG2MwoyDqockfLejrvV146jXE1ATz1TmOwuen3v7bOlNRQmFfYg9 V2bOx6Q1QHeDN4Pe/kwXNNtfiNW5NCmQaxtqJinCbi5vcfLmnuFYE/CRyPdRNoHW /lKDLcsXiwjAkxpida1B1vreOxaehJVnuG9B2WseTcsSx2A0bH0= =QOhS -----END PGP SIGNATURE-----
By migrating, do you mean you've removed the compatibility layer that comes with modern Linux distributions? They all ship with iptables as a wrapper over nftables that does the translation. The binary is iptables-nft. Just type iptables -V in the console. If the output contains "nf_tables", then your iptables commands are actually managing nftables rules and you can run my script. As for the lists, they're just a simple matter of pull, awk, sed, sort, etc ... The reason they're not included in the script is mainly because when a couple of hundred servers use the script, each server doing it individually will put unnecessary strain on Onionoo servers for absolutely no good reason. Not to mention that Onionoo server is updated hourly anyway so pulling the lists every 10 minutes is not going to necessarily give you a different result. The lists are available here: https://github.com/Enkidu-6/tor-relay-lists On 12/3/2025 5:10 PM, forest-relay-contact--- via tor-relays wrote:
Hello.
Try this: https://github.com/Enkidu-6/tor-ddos It should greatly reduce if not eliminate it.
I've been thinking of setting that up on my relays as well. Do you have any version for nftables? All of my relays have been migrated to nft from iptables, and my knowledge of nft syntax is rudimentary.
Also, how do you generate files like 2-or.txt and snowflake.txt? I'd rather pull directly from Tor's site over an API than from GitHub.
Regards, forest _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org
participants (6)
-
Chris Enkidu-6 -
Felix -
forest-relay-contact@cryptolab.net -
Gisle Vanem -
Marco Moock -
ProSecureRelays