[tor-relays] unbound bogs down strangely, degrading exit relay

Dhalgren Tor dhalgren.tor at gmail.com
Fri Mar 18 15:46:56 UTC 2016


As with the earlier incident, problem came back within hours of
restarting the daemons.

Was able to figure out what's happening  Operators running 'unbound' take note!

Problem appears to be the result of someone attempting to DDOS a DNS
service, in this case GoDaddy.

Ran

   lsof -Pn -p <unbnd_pid>

a few times and observed numerous SYN_SENT TCP connections, of of them
to 208.109.255.0/24, where GoDaddy DNS servers are found.  Appears
GoDaddy is rate-limiting or blocking requests from the 'unbound'
instance on the relay IP.

Ran

   unbound-control dump_requestlist

and see a large queue of requests to GoDaddy.  Finally ran

   unbound-control dump_infra >infralst

and see 14000 lines similar to

   208.109.255.26 cycsErvicioSsAS.coM. expired rto 120000

indicating a huge number of requests have been made to GoDaddy and
have expired after 120 seconds.

Presently the quantity of requests has fallen off and the exit is
operating fine.  Have alarmed the tell-tale log message.  When it
recurs I expect

   unbound-control purge_requestlist

will mitigate the problem.  Presently looking into configuring
'ratelimit' feature of 'unbound'.  If anyone has already done this
successfully please post to this thread.


More information about the tor-relays mailing list