[tor-relays] NSA knew about Heartbleed

[Jobiwan Kenobi]

On Apr 12, 2014, at 12:34 , Scott Bennett wrote:

> [...] the sporadic, sudden mobbing of relays by tens to
> hundreds of times as many incoming connections as those relays
> normally get, often for up to several hours at a time.  Systems
> whose CPUs are not powerful enough to keep up with the heavy
> influx of onions to be peeled become bogged down, sometimes to
> the point of their kernel listen queues overflowing and X
> servers becoming unresponsive.  [...]  My conclusion is that
> the massive (in relation to the background) rates of inbound
> connections are accesses to the hidden services directory part
> of a tor relay.
>   Since becoming aware of Heartbleed a few days ago, I have
> been wondering whether the NSA or some other criminal group(s)
> or individual(s) might be using untraceable connections to
> HSDir-flagged relays to acquire lots of memory contents
> illegally with relay operators noticing the events main;y
> because of their deleterious effects on system performance.

I run a relay on a low-powered machine and I see this 
happening from time to time. Sometimes multiple times per 
week, sometimes not for a few weeks. 

In my case, during those times I also have way more download 
traffic than upload, so I become a data sink hole. If this 
were a data gathering attack, I would expect the opposite: 
more upload than download, altho this may be (somewhat) 
specific to me as I have an older openssl which is supposedly 
unaffected. 

My (less sexy) theory is that this is caused by clients using 
bittorrent over Tor and aggressively creating and abandoning 
connections without properly disconnecting, causing the 
imbalance between download and upload traffic. 

I never tried disabling HSDir but will do so at some point to 
test whether it stops these episodes from happening.

-Job