[tor-relays] DoS from my tor guard VPS

teor teor2345 at gmail.com
Wed Nov 16 00:10:58 UTC 2016 

> On 16 Nov. 2016, at 07:57, Pascal Terjan <pterjan at gmail.com> wrote:
> 
> On 15 November 2016 at 20:41, Arisbe <arisbe at cni.net> wrote:
>> One of my tor guard relays is a medium size VPS operating in the Czech
>> Republic.  It's been up and stable for several years.  Several weeks ago I
>> was notified that my VPS was a source of UDP DoS traffic.  It was shut down.
>> Logs showed no intrusions.
>> 
>> I installed a different instance of linux, changed my SSH port, added
>> fail2ban and even installed clamav.  I did not make changes to the tor exit
>> policy.  Then, this week I received the following:
>> 
>> "Hello,
>> surveillance system detected a disproportionate outgoing DoS traffic on your
>> VPS torexitcz and then our network under a DDoS attack. Your server
>> torexitcz has been stopped. This is another problem with your VPS. Your
>> service will be terminated.
>> Thanks for understanding."
>> 
>> Can anyone offer an opinion as to how my relay was used for DoS? How can I
>> avoid this in the future?  My goal, as always is to provide stable nodes to
>> the tor network while protecting myself and my VPS supplier.
>> 
>> 4061C553CA88021B8302F0814365070AAE617270
>> 185.100.85.101
> 
> Your relay allows exit, and based on the name that seems intentional
> If you don't want it to possibly be used for attacks, you should not run an exit

Tor Exits only produce one kind of UDP traffic: DNS requests on behalf
of clients.

If you were using the provider's DNS servers directly, this could look
like a DoS attack, particularly if the DNS servers are
under-provisioned (or the intrusion detection system too sensitive).

Install a caching resolver on your relay, accessible only from
localhost, and either edit /etc/resolv.conf, or use the
ServerDNSResolvConfFile torrc option.

(Editing /etc/resolv.conf can be unreliable, because some processes
overwrite it using DHCP data. It's probably best to use a separate
file and ServerDNSResolvConfFile.)

If your provider is that sensitive about DNS traffic, it might be
best to point your resolver at some other public DNS servers.

But please don't use Google, they see too much Tor DNS traffic already.

T

-- 
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------

More information about the tor-relays mailing list