[tor-relays] NSA knew about Heartbleed

Scott Bennett bennett at sdf.org
Sat Apr 12 10:34:32 UTC 2014

Paris S <papasierra88 at gmail.com> wrote:

> Interesting.
> Could this be a part of what the leaked documents were referring to as
> "groundbreaking capabilities" a few months back?
> http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=4&_r=1&hp
> https://www.eff.org/document/2013-09-05-guard-bullrun
     I don't know the answer to your question.
     However, there is a problem that has come up on this list a number of
times in the last few years that has never been resolved, and that is the
sporadic, sudden mobbing of relays by tens to hundreds of times as many
incoming connections as those relays normally get, often for up to several
hours at a time.  Systems whose CPUs are not powerful enough to keep up with
the heavy influx of onions to be peeled become bogged down, sometimes to the
point of their kernel listen queues overflowing and X servers becoming
unresponsive.  AFAIK, no one has ever figured out exactly what causes these
mobbing events, although I have suspected (for purely circumstantial reasons)
since shortly after they began happening that they were connected somehow to
hidden services.  Until very recently two things in particular about these
mobbing events bothered me and remained unresolved:

	1) if the mobbing events are related to hidden services, are they
	in connection to relays being used as rendezvous nodes?  Or are they
	instead connected to running as a hidden service directory?

	2) are the mobbing events due to a bug or design error?  Or are they
	instead some sort of intentional attack?

     Now I think I can both confirm the suspicing that the mobbing is indeed
connected somehow to hidden services and specifically to relays running hidden
services directories.  Since I changed

HidServDirectoryV2 1


HidServDirectoryV2 0

some weeks ago, there has been no sign of my relay being mobbed the manner
described above, whereas formerly the mobbing events were quite frequent,
often beginning several times per day and sometimes beginning before an
earlier mobbing event had subsided.  My conclusion is that the massive (in
relation to the background) rates of inbound connections are accesses to
the hidden services directory part of a tor relay.
   Since becoming aware of Heartbleed a few days ago, I have been wondering
whether the NSA or some other criminal group(s) or individual(s) might be
using untraceable connections to HSDir-flagged relays to acquire lots of
memory contents illegally with relay operators noticing the events main;y
because of their deleterious effects on system performance.

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:   bennett at sdf.org   *or*   bennett at freeshell.org   *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *

More information about the tor-relays mailing list