[tor-relays] Lawsuit threat over (unlikely?) SYN flood
Formless Networking
formlessnetworking at gmail.com
Thu Feb 24 21:09:31 UTC 2011
Just as a heads up, I got a curt, vague lawsuit threat the other day out of
the blue. The guy claimed my node IP took down his (unmentioned) e-commerce
sites for some unspecified period of time through a SYN flood. The sites
that I could find associated with his email address appeared still up and
functional.
Since SYN floods can be spoofed, and since Tor nodes don't really have the
resource amplification that typically makes them effective, I'm assuming
it's probably just someone who forgot to take their meds for a while and/or
who is just making things up to try to chill our tor node off line.
Just in case, here is what I sent in response. If anyone else hears from
this guy, feel free to copy and paste.
----------------------------
It seems very unlikely that what you pasted here is due to our Tor router
(unless it has been compromised?).
Our node is not capable of transmitting SYN packets on behalf of users fast
enough to actually do damage. It is rather expensive for a tor client to
generate this type of traffic, and a couple forms of protection mechanisms
are built in to the tor router flow control that slow this down. We would be
very surprised if this attack actually came through our node, and actually
brought down any of your services.
Unlike more direct attacks on your server at the application layer, SYN
floods are possible to spoof. This packet could actually be coming from
anywhere...
However, in either case, this attack should be simple to block. You can
prevent the entire Tor network (not just our router) from sending you
traffic by using this exported IP list to generate firewall rules to drop
SYN packets:
https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4&port=80
If this is in fact a SYN flood attack, they may just switch spoofed source
IPs on you, though, so an IP block is probably not what you want.
There are plenty of documents online that describe server parameters to help
reduce the impact of this attack on your services, depending on your server
OS. We recommend looking into them to better protect yourself and your
customers.
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20110224/0f9a4412/attachment.htm>
More information about the tor-relays
mailing list