[tor-relays] Exit relay operators: a call for packets on port 8118
Aaron Hopkins
lists at die.net
Mon Sep 9 16:01:01 UTC 2013
On Mon, 22 Jul 2013, Zack Weinberg wrote:
> The CMU Tor exit is seeing about 66 packets/second worth of this
> (10000 packets, 1151 unique IPs in 149.5 seconds). I don't have time
> to dig any deeper right now, but on the theory that it's a botnet
> doing click fraud, I'll pass this along to our cybercrime people.
If this clickfraud bot consumes a thread per connection, it may be possible
to overwhelm its available resources by taking as long as possible to answer
its requests, known as a tarpit or teergrube.
The kernel-based tarpit I wrote years ago (ipt_TARPIT) would only hold these
for a few minutes, so I experimented with getting NginX to reply as slowly
as possible using its rate-limiting, and was able to capture and hold open
105,000 connections to port 8118 from 1500 different IPs. However, NginX
has a lower bound of one byte per second out of the box, which with TCP
packet overhead consumed more bandwidth than I was willing to offer.
I then wrote a simple Go-based HTTP tarpit, which seems to also be effective
at capturing a bunch of connections; I'm back up to to 22,000 and very
slowly rising.
If anyone else feels like playing with this, feel free to grab
http://www.die.net/tools/http-tarpit/http-tarpit.go and install a Go
compiler from http://golang.org/doc/install. Build with "go build
http-tarpit.go" and then run "./http-tarpit" as a non-root user.
Be careful if you are tight on RAM; it seems to eat a few hundred megs per
10,000 concurrent connections. I haven't tried to optimize this at all.
-- Aaron
More information about the tor-relays
mailing list