[tor-relays] Possible DDoS

Tom van der Woerdt info at tvdw.eu
Fri Dec 26 13:12:19 UTC 2014 

Sebastian Urbach schreef op 26/12/14 om 14:05:
> On December 26, 2014 12:41:51 PM Christian Burkert <post at cburkert.de>
> wrote:
>
> Hi,
>
>> I'm running a non-exit Tor node for a few months now on a virtual server
>> hosted in a professional datacenter.
>
> Thank you !
>
>> Yesterday, December 25th, the support wrote me, that my server is
>> under a DDoS attack with 2GBit/s lasting over more than two hours. So,
>> the hoster black holed my traffic to protect the other customers.
>
> I've seen this behaviour from some ISP's before and it's rather sad. If
> something like this happens my ISP is taking care of it without
> disabling my systems. I'm just getting a note with all the technical
> information and that's it.
>
>> The hoster wanted to know which services I'm running and told me that
>> if I continue running Tor and further attacks will happen, then I
>> would have to bear the costs.
>> Eventually, I took down the Tor node to avoid further confrontation.
>
> That's interesting, they gave you some infos like the time and the
> amount but nothing else ? Seems to me that they're pretty clueless and
> are fishing in the dark. Another reason for their behaviour could be
> that they want to get rid of you / your Tor node. Threatening customers
> is really sad, sounds like they heard the word Tor from you and then
> concluded "oh, than he basically asked for the attack".
>
>>
>> Now I seek for your interpretation of this event:
>> - - Has there been more recent incidents against Tor nodes?
>
> Nothing with that magnitude on my end for weeks.
>
>> - - How can I investigate it?
>
> You can ask your ISP for their logs regarding that attack. Do you have
> any logs on your system, maybe from a intrusion detection or anything
> else ?
>
>> - - How should one react to a hoster? I mean they could have made up the
>> whole thing...
>
> If you are already considering this than i would recommend changing to
> another ISP, sounds like there is already some distrust.
>
>>
>> Looking forward to your comments
>> Chris



In the context of a shared virtual server (VPS), null-routing traffic 
seems like a good way to protect other customers on the same machine. 
It's common for VPS hosts to have a single or double 1Gbit/s link to 
each machine, and a 2Gbit/s DDoS attack would cause that to be 
completely utilized, disrupting service for other customers.

I haven't seen any significant attacks on my Tor nodes recently. There's 
the usual 1Gbit/s spike for a few minutes sometimes, but they never last 
long.

Tom

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3729 bytes
Desc: S/MIME-cryptografische ondertekening
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20141226/779e7cdb/attachment.bin>

More information about the tor-relays mailing list