[tor-relays] outgooing UDP flooding on middle relay

Markus Koch niftybunny at googlemail.com
Mon Aug 1 13:17:34 UTC 2016


If this is a synflood or any other ddos attack on his vps the tor server would not relay the attack and in and outgoing traffic would be vastly different. 

Sent from my iPad

> On 01 Aug 2016, at 15:12, teor <teor2345 at gmail.com> wrote:
> 
> 
>> On 1 Aug 2016, at 23:08, Markus Koch <niftybunny at googlemail.com> wrote:
>> 
>> Looks like DOS/DDOS.Is it even possible to DDOS over tor?
> 
> It's possible to (D)DOS any server using ping (or DNS, or any other UDP responder).
> All an attacker needs is the server's IP address, which is publicly available in the Tor consensus.
> Then they can attack the relay from the Internet.
> 
> There's no need to use Tor to tunnel the (D)DOS. In this case, Tor doesn't tunnel UDP, so it's unlikely to be the culprit.
> 
> Tim
> 
>> 
>> 
>> 2016-08-01 15:04 GMT+02:00 pa011 <pa011 at web.de>:
>>> yes about the same - sorry for the page brake dont get it solved in my
>>> thunderbird
>>> 
>>> h  rx (KiB)   tx (KiB)      h  rx (KiB)   tx (KiB)      h  rx (KiB)
>>> tx (KiB)
>>> 23  6.559.929  6.748.215    07  4.697.285  4.845.893    15 35.106.193
>>> 35.833.114
>>> 00  5.129.384  5.289.456    08 12.317.567 12.605.726    16          0
>>>     0
>>> 01  3.709.181  3.843.988    09 14.913.172 15.278.079    17          0
>>>     0
>>> 02  4.405.017  4.574.745    10 22.218.874 22.738.508    18    102.138
>>> 144.732
>>> 03  4.670.091  4.817.785    11 25.700.571 26.306.505    19    275.999
>>> 340.633
>>> 04  4.711.807  4.853.921    12 32.840.796 33.571.996    20    271.278
>>> 382.087
>>> 05  4.269.354  4.408.417    13 32.910.527 33.637.092    21    263.147
>>> 383.444
>>> 06  5.279.142  5.443.890    14 40.052.678 40.824.138    22    176.040
>>> 258.865
>>> 
>>> 
>>>> Am 01.08.2016 um 14:51 schrieb Markus Koch:
>>>> In and outgoing traffic is the same size?
>>>> 
>>>> 
>>>> 
>>>> 2016-08-01 14:44 GMT+02:00 pa011 <pa011 at web.de>:
>>>>> The ISP didn’t mention - I would have to ask.
>>>>> 
>>>>> What I saw was that the traffic was up about linear from usually 30Mbits
>>>>> to above 100 Mbits over about 6 hours, bringing the CPU to 100% and
>>>>> dropping.
>>>>> 
>>>>> 
>>>>>> Am 01.08.2016 um 14:36 schrieb Markus Koch:
>>>>>> How many packets per second?
>>>>>> 
>>>>>> Markus
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 2016-08-01 14:28 GMT+02:00 pa011 <pa011 at web.de>:
>>>>>>> Hello,
>>>>>>> 
>>>>>>> one of my middle relays got auto limited by the ISP because of
>>>>>>> "outgooing UDP flooding ".
>>>>>>> 
>>>>>>> The VPS is pure debian8, fail2ban, pub key and nothing else installed -
>>>>>>> so I highly doubt the give reason for the traffic limitation.
>>>>>>> Also I cant find anything in the log files.
>>>>>>> 
>>>>>>> Anybody having experience with such an issue?
>>>>>>> What to check for please?
>>>>>>> 
>>>>>>> Paul
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> tor-relays mailing list
>>>>>>> tor-relays at lists.torproject.org
>>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>>> _______________________________________________
>>>>>> tor-relays mailing list
>>>>>> tor-relays at lists.torproject.org
>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>> _______________________________________________
>>>>> tor-relays mailing list
>>>>> tor-relays at lists.torproject.org
>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> _______________________________________________
>>>> tor-relays mailing list
>>>> tor-relays at lists.torproject.org
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> Tim Wilson-Brown (teor)
> 
> teor2345 at gmail dot com
> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
> ricochet:ekmygaiu4rzgsk6n
> xmmp: teor at torproject dot org
> 
> 
> 
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


More information about the tor-relays mailing list