[tor-relays] Handshake flood now on NTor

Tor Stuff tor.geheimschreiber at gmail.com
Mon Sep 8 12:48:36 UTC 2014 

I have a related question. I have recently built my first Tor relay (ORPort
443, DirPort 80, NOT Exit) with both the bandwidth and burst limits set to
100KB/s.

It has been running for less than 3 days. During that time I have been
monitoring it with 'arm' and on GLOBE and notice a number of things that I
cannot reconcile:

1. The 'arm' download total ALWAYS exceeds the upload total. As a
percentage of the upload total the difference is 5%-6%. There are NO
unsuccessful handskakes recorded.

2. The bandwidth graph provided by 'arm' is headed: "Bandwidth (limit: 800
Kb/s, burst 800 Kb/s, measured: 152.0 b/s):". It is the "measured: 152.0
b/s" that has me scratching my head! What does that value represent? Note
that 'arm' tells me that average bandwidth usage (up and down) is well over
10 Kb/s with instantaneous usage of more than 50 Kb/s at times.

3. Possibly related to 2) above, I ALWAYS seem to have more inbound
connections than outbound connections.

BUT in contradiction to the above, GLOBE says that for the 3-day period
monitored, "written bytes" (bandwidth?) is 1.84 bB/s while "read bytes" is
1.62 kB/s. That is, upload bandwidth is greater than download bandwidth.
That seems to me more reasonable than what 'arm' is saying as my relay is
willing to upload directory info.

Q

On Mon, Sep 8, 2014 at 6:58 AM, Joel Cretan <jcretan at gmail.com> wrote:

> I observed something similar today. It was basically as you described for
> the previous cases you observed, where there was a storm of about 10 times
> more TAP handshakes than usual. My middle relay is pretty small, limited to
> 1.1Mbit/s, and until this point it wasn't even saturating that. Then this
> storm came in and saturated it for less than half a day, and then it
> stopped. My consensus weight went up during this time, so there is a higher
> level of residual traffic now than before it started, but the extreme event
> seems to done. It's strange to me that during the storm, the downstream
> traffic was much greater than the upstream. Any idea what could have been
> going on during that time? Why would my relay be receiving a bunch of data
> that it didn't pass on? The discrepancy seems to be too high for it to
> downloading directory information.
>
> The fingerprint is 7552CA84FB125059DC2959A6BE01A6A8107B3523 and here are
> the log entries from before, during and after:
>
> Sep 06 13:40:04.000 [notice] Heartbeat: Tor's uptime is 11 days 18:00
> hours, with 34 circuits open. I've sent 3.52 GB and received 3.52 GB.
> Sep 06 13:40:04.000 [notice] Average packaged cell fullness: 96.735%
> Sep 06 13:40:04.000 [notice] TLS write overhead: 6%
> Sep 06 13:40:04.000 [notice] Circuit handshake stats since last time:
> 1948/1949 TAP, 645/645 NTor.
>
> Sep 06 19:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 0:00
> hours, with 878 circuits open. I've sent 3.64 GB and received 3.65 GB.
> Sep 06 19:40:04.000 [notice] Average packaged cell fullness: 95.657%
> Sep 06 19:40:04.000 [notice] TLS write overhead: 7%
> Sep 06 19:40:04.000 [notice] Circuit handshake stats since last time:
> 16759/16957 TAP, 540/540 NTor.
>
> Sep 07 00:12:04.000 [notice] New control connection opened.
> Sep 07 00:25:03.000 [notice] New control connection opened.
> Sep 07 00:31:42.000 [notice] New control connection opened.
> Sep 07 01:14:06.000 [notice] New control connection opened.
> Sep 07 01:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 6:00
> hours, with 161 circuits open. I've sent 4.03 GB and received 4.51 GB.
> Sep 07 01:40:04.000 [notice] Average packaged cell fullness: 93.753%
> Sep 07 01:40:04.000 [notice] TLS write overhead: 7%
> Sep 07 01:40:04.000 [notice] Circuit handshake stats since last time:
> 36498/611731 TAP, 832/867 NTor.
>
> Sep 07 07:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 12:00
> hours, with 24 circuits open. I've sent 4.44 GB and received 6.22 GB.
> Sep 07 07:40:04.000 [notice] Average packaged cell fullness: 93.604%
> Sep 07 07:40:04.000 [notice] TLS write overhead: 8%
> Sep 07 07:40:04.000 [notice] Circuit handshake stats since last time:
> 27191/1548070 TAP, 1261/1353 NTor.
>
> Sep 07 13:34:25.000 [notice] New control connection opened.
> Sep 07 13:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 18:00
> hours, with 19 circuits open. I've sent 4.61 GB and received 6.38 GB.
> Sep 07 13:40:04.000 [notice] Average packaged cell fullness: 93.745%
> Sep 07 13:40:04.000 [notice] TLS write overhead: 8%
> Sep 07 13:40:04.000 [notice] Circuit handshake stats since last time:
> 1803/1803 TAP, 385/385 NTor.
>
>
>
>
> On Tue, Sep 2, 2014 at 11:28 AM, Jobiwan Kenobi <helpme.jobiwan at gmail.com>
> wrote:
>
>> Hi,
>>
>> For about 15 hours straight, my relay was being hammered by
>> connections/handshakes.
>>
>> I see lots of these:
>>
>> Sep 02 01:03:02.000 [warn] Your computer is too slow to handle this many
>> circuit creation requests! Please consider using the MaxAdvertisedBandwidth
>> config option or choosing a more restricted exit policy. [70638 similar
>> message(s) suppressed in last 60 seconds]
>>
>> Numbers vary between 30000 and 80000 per 60 seconds.
>>
>> Also the occasional clock jump message and other performance related
>> messages, and of course, _lots_ of unsuccessful handshakes:
>>
>> Sep 01 22:31:26.000 [notice] Circuit handshake stats since last time:
>> 5038/5038 TAP, 17771/17773 NTor.
>> Sep 02 04:31:26.000 [notice] Circuit handshake stats since last time:
>> 3100/3484 TAP, 465565/5417818 NTor.
>> Sep 02 10:31:26.000 [notice] Circuit handshake stats since last time:
>> 3139/4249 TAP, 679872/8244698 NTor.
>> Sep 02 16:31:26.000 [notice] Circuit handshake stats since last time:
>> 3884/5294 TAP, 502835/10443735 NTor.
>>
>> It is a low spec machine.
>>
>> I've been through episodes like this before, but this time it's
>> different:
>>
>> - They are NTor handshakes, where before they would be TAP
>>   handshakes.
>> - The amount of up and down traffic is pretty balanced, where before
>>   I would get much more down than up during these floods.
>> - In case it matters: I am now running 0.2.4.23, before I was on
>>   0.2.4.18-RC
>>
>>
>> It stopped about 4 hours ago. Running normal now.
>>
>> -Job
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140908/d629961e/attachment.html>

More information about the tor-relays mailing list