[tor-relays] botnet? abusing/attacking guard nodes
Stijn Jonker
sjcjonker at sjc.nl
Wed Dec 20 16:07:35 UTC 2017
On 20 Dec 2017, at 16:39, x9p wrote:
> On Wed, December 20, 2017 12:10 pm, Santiago wrote:
> ...
>>
>> My relay B33BFA9AA0005730C1C0E8F7E6F53CF3C5716BD6 is not currently
>> tagged as Guard, and I am seeing more than twenty IPv4s with more
>> than
>> 10 connections, and one with 147. Should that be considered normal
>> for a
>> non-guard relay?
>
> 147 is a bit high for a non-exit, non-guard, for a single IP. check
> https://atlas.torproject.org/ and see if this IP is part of Tor
> network.
My relay is regularly struggling a bit nowadays, with some source IP's
crossing over the 1000 connections, but quite a few at 50-100. The one
with 1000 connections, and for some random IP's none of their IP's being
listed as an Tor node on atlas. Seems to be a lot of IP's out of
54.36.51.0/24 that tend to open a lot of sessions. Whereby the ones
checked are not on Atlas.
At some point the entire conntrack table was full and OOM kills for the
tor process. This only left me to put in some connection limits. Despite
being advices against. I currently have:
200 connections per /24, if that's used then at least allow 24
connections per /32.
I'm currently running with 6600 connections just fine; when it crosses
the 15k it becomes troublesome.
Now blocking some connections might be far-far from ideal, but better
~6000 connections served with bandwidth then to remove my relay from the
tor network in my view.
That said it would be good if the Tor program itself would have some
protections, to the extend possible, with the current protocol. For
instance dropping clients (source IP's) that frequently connect but are
not behaving. I understand this might have it's implications when under
censorship/censorship countermeasures.
--
Yours Sincerely / Met Vriendelijke groet,
Stijn Jonker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171220/089a8816/attachment.html>
More information about the tor-relays
mailing list