[tor-relays] DoS on my non-exit relay? Or just oversensitive DoS "protection"?

Sebastian Niehaus niehaus at web.de
Wed Aug 10 07:39:35 UTC 2016


Hi,

The provider of my non-exit "silentrocket" told me they temporarily
disconnected the server from their network because of a DoS attack
against the machine.

https://atlas.torproject.org/#details/7A32C9519D80CA458FC8B034A28F5F6815649A98

They sent me some details of what they think is a DoS attack (date and
time omitted ...):


###########################################
Attack type: DoS_IN
Attacked IP: 82.223.21.74
###########################################
Source Address	Source Port	Destination Address	Destination Port	Frames


193.171.202.146	TCP:9001  82.223.21.74	TCP:61078	21440736
176.10.104.243	TCP:443	  82.223.21.74	TCP:25817	11203344
185.29.8.132	TCP:443	  82.223.21.74	TCP:56708	8160360
58.58.170.2	TCP:443	  82.223.21.74	TCP:61980	7840824
144.76.14.145	TCP:143	  82.223.21.74	TCP:19866	6240664
195.154.209.91	TCP:443	  82.223.21.74	TCP:20229	4808568
192.42.113.102	TCP:9001  82.223.21.74	TCP:62658	4328568
83.146.80.152	TCP:39898 82.223.21.74	TCP:9001	3041584
87.98.162.251	TCP:443	  82.223.21.74	TCP:60948	2240040
188.138.9.49	TCP:9001  82.223.21.74	TCP:13349	2240000
93.145.122.187	TCP:60469 82.223.21.74	TCP:9001	1920016
104.236.92.66	TCP:1337  82.223.21.74	TCP:48838	1760248
5.248.227.163	TCP:9001  82.223.21.74	TCP:28976	1760240
109.104.12.92	TCP:9001  82.223.21.74	TCP:15808	1601224
46.101.237.246	TCP:9001  82.223.21.74	TCP:18393	1600784
212.47.239.187	TCP:443	  82.223.21.74	TCP:6669	1600000
212.117.180.130	TCP:443	  82.223.21.74	TCP:37114	1440000
37.187.17.67	TCP:38547 82.223.21.74	TCP:9001	1281176
37.157.193.107	TCP:49192 82.223.21.74	TCP:9001	804896
193.11.164.243	TCP:9001  82.223.21.74	TCP:62265	800040


I am not sure whether it really looks like a DoS attack or if is just
many "normal" tor packets hammering on the small server which are
misunderstood as a DoS.


They are coming from a remote's maschines tor port and going to some
random port om my server suggesting the packets are simply a reply to
some connection my server opened.


The server ran fine for several months but now I get a disconnection
notice several times a day. Maybe there is really a DoS, maybe their
automatic DoS protection reacts too fast, maybe they are just fed up
with the traffic the relay causes and want to make things hard for me.

Do you have any (educated) guesses what might be going on here?


Thank you very much,


Sebastian



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20160810/58f916ad/attachment-0001.sig>


More information about the tor-relays mailing list