Hi!
Since yesterday, the kern.log of the relay I'm running is flooded with "TCP: drop open request from".
I first thought it was a kind of DDOS on our servers but it seems to be related to Tor (When I stop Tor, kernel doesn't complain anymore).
Does somebody have an idea of why this is happening and what to do to mitigate it?
Thanks a lot.
On Fri, Oct 25, 2013 at 12:43:42PM +0900, mett wrote:
Since yesterday, the kern.log of the relay I'm running is flooded with "TCP: drop open request from".
I first thought it was a kind of DDOS on our servers but it seems to be related to Tor (When I stop Tor, kernel doesn't complain anymore).
Does somebody have an idea of why this is happening and what to do to mitigate it?
What operating system, kernel, etc?
https://trac.torproject.org/projects/tor/ticket/9716 looks related if you're in BSD-land.
--Roger
On Fri, Oct 25, 2013 at 12:10 AM, Roger Dingledine arma@mit.edu wrote:
On Fri, Oct 25, 2013 at 12:43:42PM +0900, mett wrote:
Since yesterday, the kern.log of the relay I'm running is flooded with "TCP: drop open request from".
I first thought it was a kind of DDOS on our servers but it seems to be related to Tor (When I stop Tor, kernel doesn't complain anymore).
if you're in BSD-land.
It's a Linux message. Feed it to a search engine and you'll find several things to try depending on what the cause is. It shuts off either because Tor is attracting the syn's or the overall count is lower with Tor off, you'll have to tcpdump to see. Look into syn cookies, packet filter rules, and stack tuning.
On Fri, 25 Oct 2013 01:13:57 -0400 grarpamp grarpamp@gmail.com wrote:
On Fri, Oct 25, 2013 at 12:10 AM, Roger Dingledine arma@mit.edu wrote:
On Fri, Oct 25, 2013 at 12:43:42PM +0900, mett wrote:
Since yesterday, the kern.log of the relay I'm running is flooded with "TCP: drop open request from".
I first thought it was a kind of DDOS on our servers but it seems to be related to Tor (When I stop Tor, kernel doesn't complain anymore).
if you're in BSD-land.
It's a Linux message. Feed it to a search engine and you'll find several things to try depending on what the cause is. It shuts off either because Tor is attracting the syn's or the overall count is lower with Tor off, you'll have to tcpdump to see. Look into syn cookies, packet filter rules, and stack tuning. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thanks a lot for both answers.
Actually, I recently changed my IP from dynamic to static(a week ago), and at the same time I changed the settings regarding syn cookies and spoofed IP's source address verification, so it might have been related.
I'll definitely tcdump my connection to check deeper.
By the way, the system is debian-squeeze on a P4(linux kernel 2.6 serie, 2.4CPU for 512RAM), that I use as a multipurpose router/server.
tor-relays@lists.torproject.org