[tor-relays] Tor Server - DDOS or High Load

Austin Bentley ab6d9 at mst.edu
Thu Dec 4 18:53:27 UTC 2014 

I think you misinterpreted what I was saying or I didn't explain it well
enough. Tor utilizing 100% CPU usage is only normal if you are pushing a
LOT of bits. In this case, you probably have a system misconfiguration
somewhere (nothing to do with Tor's configuration, torrc).

>"Nor, the adresses of the inbound traffic were from different adresses."
Yes, that's expected. You're getting connections from the Tor network.
>"I thought that it was not possible to force traffic through a specific
predefined route in Tor"
It isn't possible. I believe I said so, or implied it. The only way to do
this would be through an attack on the Tor network in general.

>"Is it possible to flood the tor port directly with for example syn
floods?"
Through the Tor network, no, that's impossible. TCP relies on a
3-way-handshake which means that every connection between relays will have
to be complete; therefore, in order to connect to your relay, a complete
connection will have to be made. I hope this makes sense, if not, I can
elaborate a bit more.

However, if someone has a hold of your IP, they can run a portscanner and
then determine your relay port (which is on the internet for all to see.)
Therefore, you can be attacked, but not through the Tor network.

>"If yes; is there an iptables rule which will reduce the amount of
connection kept in the syn state?"
First of all, no. And second, that's not how you deal with a SYN flood. If
that rule was implemented, it would just be easier to take your port
offline.


I highly doubt you are under attack. Almost certainly a misconfiguration of
some sort. Have you tried the recommendations that others have given
relating to your file descriptors?

On Thu, Dec 4, 2014 at 1:40 AM, <webmaster at defcon-cc.dyndns.org> wrote:

> Ok,
>
> i will reject this as a normal behavior of tor. My flags are actually:
>
> HSDir, Running, V2Dir, Valid
>
> To point 2.: Nor, the adresses of the inbound traffic were from different
> adresses.
> I thought that it is not possible to force the traffic through a defined
> route because form
> my knowledge the route is build by the network. Sometimes I'm using my Tor
> Server as a Proxy for my local http traffic. I think this is the only case
> where i can force my route to use my server as a entry node.
>
> Is it possible to flood the tor port directly with for example syn floods?
>
> If yes; is there an iptables rule which will reduce the amount of
> connection kept in the syn state?
>
> My Tor Info:
>
> https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF520
>
> Thanks for the reply
>
>
>
> > Hey bud,
> > Your adsl connection has a low advertised bandwidth, and doesn't make
> many
> > connections with regards to tor; thus, the CPU usage is correct. Look up
> > your server's fingerprint or nickname on Tor Globe to see how much of the
> > tor network travels through your server.
> > CPU load is usually associated with a lot of bandwidth or a inefficiency
> > in the server. I've heard that a 100mbit tor server using full 12.5MB/s
> > up/down will saturate the core dedicated to the Tor process; this is
> > presumably why a lot of servers run multiple Tor instances on different
> > cores and IP addresses. However, in your case, it is likely
> > The large amount of connections is generally caused by a few things:
> > 1. You've been running a very stable server for a long period of time and
> > have sufficient bandwidth to provide connectivity for a large number of
> > clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will
> > likely result in more connections. This is not likely with your server,
> > given your advertised bandwidth is only 68.44kb/s.
> > 2. A single client is using your server for a lot of connections.
> > 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know
> > if any have been documented.)
> > 4. An attack against your server. This is very hard to do through the Tor
> > network; an attack against a Tor relay using Tor is an attack against all
> > Tor relays. HOWEVER, they could be attacking your port which you use to
> > host your tor server.
> > Just for reference, here's my tor stats:
> > Advertised B/W: ~4MB/s
> > Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1
> > control)
> > Tor is averaging 9%-13% CPU usage; 198MB memory.
> > More info on my server:
> >
> https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B
> >
> https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B
> > I hope this answered your question, if not, send a reply and hopefully
> > I'll reply sometime.
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20141204/009e0e89/attachment-0001.html>

More information about the tor-relays mailing list