[tor-relays] Handshake flood now on NTor

Joel Cretan jcretan at gmail.com
Mon Sep 8 05:58:33 UTC 2014 

I observed something similar today. It was basically as you described for
the previous cases you observed, where there was a storm of about 10 times
more TAP handshakes than usual. My middle relay is pretty small, limited to
1.1Mbit/s, and until this point it wasn't even saturating that. Then this
storm came in and saturated it for less than half a day, and then it
stopped. My consensus weight went up during this time, so there is a higher
level of residual traffic now than before it started, but the extreme event
seems to done. It's strange to me that during the storm, the downstream
traffic was much greater than the upstream. Any idea what could have been
going on during that time? Why would my relay be receiving a bunch of data
that it didn't pass on? The discrepancy seems to be too high for it to
downloading directory information.

The fingerprint is 7552CA84FB125059DC2959A6BE01A6A8107B3523 and here are
the log entries from before, during and after:

Sep 06 13:40:04.000 [notice] Heartbeat: Tor's uptime is 11 days 18:00
hours, with 34 circuits open. I've sent 3.52 GB and received 3.52 GB.
Sep 06 13:40:04.000 [notice] Average packaged cell fullness: 96.735%
Sep 06 13:40:04.000 [notice] TLS write overhead: 6%
Sep 06 13:40:04.000 [notice] Circuit handshake stats since last time:
1948/1949 TAP, 645/645 NTor.

Sep 06 19:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 0:00 hours,
with 878 circuits open. I've sent 3.64 GB and received 3.65 GB.
Sep 06 19:40:04.000 [notice] Average packaged cell fullness: 95.657%
Sep 06 19:40:04.000 [notice] TLS write overhead: 7%
Sep 06 19:40:04.000 [notice] Circuit handshake stats since last time:
16759/16957 TAP, 540/540 NTor.

Sep 07 00:12:04.000 [notice] New control connection opened.
Sep 07 00:25:03.000 [notice] New control connection opened.
Sep 07 00:31:42.000 [notice] New control connection opened.
Sep 07 01:14:06.000 [notice] New control connection opened.
Sep 07 01:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 6:00 hours,
with 161 circuits open. I've sent 4.03 GB and received 4.51 GB.
Sep 07 01:40:04.000 [notice] Average packaged cell fullness: 93.753%
Sep 07 01:40:04.000 [notice] TLS write overhead: 7%
Sep 07 01:40:04.000 [notice] Circuit handshake stats since last time:
36498/611731 TAP, 832/867 NTor.

Sep 07 07:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 12:00
hours, with 24 circuits open. I've sent 4.44 GB and received 6.22 GB.
Sep 07 07:40:04.000 [notice] Average packaged cell fullness: 93.604%
Sep 07 07:40:04.000 [notice] TLS write overhead: 8%
Sep 07 07:40:04.000 [notice] Circuit handshake stats since last time:
27191/1548070 TAP, 1261/1353 NTor.

Sep 07 13:34:25.000 [notice] New control connection opened.
Sep 07 13:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 18:00
hours, with 19 circuits open. I've sent 4.61 GB and received 6.38 GB.
Sep 07 13:40:04.000 [notice] Average packaged cell fullness: 93.745%
Sep 07 13:40:04.000 [notice] TLS write overhead: 8%
Sep 07 13:40:04.000 [notice] Circuit handshake stats since last time:
1803/1803 TAP, 385/385 NTor.




On Tue, Sep 2, 2014 at 11:28 AM, Jobiwan Kenobi <helpme.jobiwan at gmail.com>
wrote:

> Hi,
>
> For about 15 hours straight, my relay was being hammered by
> connections/handshakes.
>
> I see lots of these:
>
> Sep 02 01:03:02.000 [warn] Your computer is too slow to handle this many
> circuit creation requests! Please consider using the MaxAdvertisedBandwidth
> config option or choosing a more restricted exit policy. [70638 similar
> message(s) suppressed in last 60 seconds]
>
> Numbers vary between 30000 and 80000 per 60 seconds.
>
> Also the occasional clock jump message and other performance related
> messages, and of course, _lots_ of unsuccessful handshakes:
>
> Sep 01 22:31:26.000 [notice] Circuit handshake stats since last time:
> 5038/5038 TAP, 17771/17773 NTor.
> Sep 02 04:31:26.000 [notice] Circuit handshake stats since last time:
> 3100/3484 TAP, 465565/5417818 NTor.
> Sep 02 10:31:26.000 [notice] Circuit handshake stats since last time:
> 3139/4249 TAP, 679872/8244698 NTor.
> Sep 02 16:31:26.000 [notice] Circuit handshake stats since last time:
> 3884/5294 TAP, 502835/10443735 NTor.
>
> It is a low spec machine.
>
> I've been through episodes like this before, but this time it's
> different:
>
> - They are NTor handshakes, where before they would be TAP
>   handshakes.
> - The amount of up and down traffic is pretty balanced, where before
>   I would get much more down than up during these floods.
> - In case it matters: I am now running 0.2.4.23, before I was on
>   0.2.4.18-RC
>
>
> It stopped about 4 hours ago. Running normal now.
>
> -Job
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140907/1c30f6de/attachment.html>

More information about the tor-relays mailing list