[tor-bugs] #24687 [Core Tor/Tor]: Tor eats all mbufs on FreeBSD

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Dec 20 19:37:59 UTC 2017


#24687: Tor eats all mbufs on FreeBSD
--------------------------+----------------------------------
 Reporter:  AMDmi3        |          Owner:  (none)
     Type:  defect        |         Status:  new
 Priority:  High          |      Milestone:  Tor: unspecified
Component:  Core Tor/Tor  |        Version:  Tor: 0.3.1.9
 Severity:  Major         |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+----------------------------------

Comment (by AMDmi3):

 Thanks for pointers, I'll read the maillist.

 While here, I need to clarify some bits. mbufs/mbuf clusters are units of
 memory management in FreeBSD kernel IPC subsystems. In particular, socket
 buffers are stored in mbufs. There's a (tunable) systemwide limit on
 maximal number of mbuf clusters, and when it's reached no more mbufs are
 allocated and incoming packets may no longer be processed, which results
 in network completely dead for a whole machine. This is what happens here.

 Since it's related to kernel memory management, it's unlikely that it
 could be fixed by tor memory options. My guess is that the attack makes
 tor open a lot of sockets and fills their buffers. In theory, on my
 FreeBSD setup it allows taking up to (sysctl net.inet.tcp.recvspace *
 min(sysctl kern.ipc.maxsockets, ulimit -n)) = (65536 * 31740) ~= 2G of
 kernel memory. The machine only has 1G, but mbuf limit is hit before the
 memory is exhausted anyway.

 This could be fixed by limiting the max number of open files for tor with
 some low value, but my graphs show that it needs at least 6k sockets as it
 is, so any sane limit (around 10k) will still allow to take a lot of
 memory. So it should probably be handled on the tor side somehow, limiting
 number of connections which take a lot of memory (I assume normal
 connections don't consume this much) or tuning socket buffer sizes.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24687#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list