[tor-relays] Recent wave of abuse on Tor guards

Felix zwiebel at quantentunnel.de
Thu Dec 21 21:11:47 UTC 2017 

Hi mick

> And I run 0xbaddad - EA8637EA746451C0680559FDFF34ABA54DDAE831 a guard
> (though whether it stays a guard depends. It keeps falling over.)
Still guard


> (As an aside, I'd be very
> grateful for any feedback from other relay operators who /have/ added
> iptables "connlimit" rules. What is your view either way?)
It's currently good to be restrictive. May-be a *per ip* limit of 20
(slow DoS) and a *per ip* rate of 1 per sec (fast DoS) is good. I am on
Freebsd so I can not give you a good idea. May-be try what
tordoswitchhunter in [1] recomments (/32 is good). You have to harvest
your own hostile IPs :/


> So: My logs show Tor staying up for around 10 minutes at a time before
> rebooting with the following sort of entries:
> 
> Dec 21 16:25:44.000 [notice] Performing bandwidth self-test...done.
> Dec 21 16:35:20.000 [notice] Tor 0.3.1.9 (git-df96a13e9155c7bf) opening
> log file. Dec 21 16:35:20.946 [notice] Tor 0.3.1.9
> (git-df96a13e9155c7bf) running on Linux with Libevent 2.0.21-stable,
> OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2. Dec 21
> 16:35:20.947 [notice] Tor can't help you if you use it wrong! Learn how
> to be safe at https://www.torproject.org/download/download#warning Dec
> 21 16:35:20.947 [notice] Read configuration file
> "/usr/share/tor/tor-service-defaults-torrc". Dec 21 16:35:20.947
> [notice] Read configuration file "/etc/tor/torrc". Dec 21 16:35:20.951
> [notice] Based on detected system memory, MaxMemInQueues is set to 369
> MB. You can override this by setting MaxMemInQueues by hand. Dec 21
> 16:35:20.952 [notice] Opening Control listener on 127.0.0.1:9051 Dec 21
> 16:35:20.953 [notice] Opening OR listener on 0.0.0.0:9001 Dec 21
> 16:35:20.000 [notice] Not disabling debugger attaching for unprivileged
> users. Dec 21 16:35:21.000 [notice] Parsing GEOIP IPv4
> file /usr/share/tor/geoip. Dec 21 16:35:21.000 [notice] Parsing GEOIP
> IPv6 file /usr/share/tor/geoip6. Dec 21 16:35:22.000 [notice]
> Configured to measure statistics. Look for the *-stats files that will
> first be written to the data directory in 24 hours from now. Dec 21
> 16:35:22.000 [notice] Your Tor server's identity key fingerprint is
> '0xbaddad EA8637EA746451C0680559FDFF34ABA54DDAE831' Dec 21 16:35:22.000
> [notice] Bootstrapped 0%: Starting Dec 21 16:35:31.000 [notice]
> Starting with guard context "default" Dec 21 16:35:31.000 [notice]
> Bootstrapped 80%: Connecting to the Tor network Dec 21 16:35:31.000
> [notice] Signaled readiness to systemd Dec 21 16:35:31.000 [notice]
> Opening Control listener on /var/run/tor/control Dec 21 16:35:31.000
> [notice] Bootstrapped 85%: Finishing handshake with first hop Dec 21
> 16:35:32.000 [warn] Problem bootstrapping. Stuck at 85%: Finishing
> handshake with first hop. (Connection refused; CONNECTREFUSED; count
> 10; recommendation warn; host CD14AE63A02686BAE838A8079449B480801A8A5F
> at 195.181.208.180:443) Dec 21 16:35:32.000 [warn] 9 connections have
> failed: Dec 21 16:35:32.000 [warn]  9 connections died in state
> connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]
> Problem bootstrapping. Stuck at 85%: Finishing handshake with first
> hop. (Connection refused; CONNECTREFUSED; count 11; recommendation
> warn; host 500FE4D6B529855A2F95A0CB34F2A10D5889E8C1 at
> 134.19.177.109:443) Dec 21 16:35:32.000 [warn] 10 connections have
> failed: Dec 21 16:35:32.000 [warn]  10 connections died in state
> connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]
> Problem bootstrapping. Stuck at 85%: Finishing handshake with first
> hop. (Connection refused; CONNECTREFUSED; count 12; recommendation
> warn; host 3DE7762DD6165FD70C74BD02A6589C8C0C1B020A at
> 62.210.76.88:9001) Dec 21 16:35:32.000 [warn] 11 connections have
> failed: Dec 21 16:35:32.000 [warn]  11 connections died in state
> connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]
> Problem bootstrapping. Stuck at 85%: Finishing handshake with first
> hop. (Connection refused; CONNECTREFUSED; count 13; recommendation
> warn; host 03DC081E4409631006EFCD3AF13AFAAF2B553FFC at
> 185.32.221.201:443) Dec 21 16:35:32.000 [warn] 12 connections have
> failed: Dec 21 16:35:32.000 [warn]  12 connections died in state
> connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]
> Problem bootstrapping. Stuck at 85%: Finishing handshake with first
> hop. (Connection refused; CONNECTREFUSED; count 14; recommendation
> warn; host 51939625169E2C7E0DC83D38BAE628BDE67E9A22 at
> 109.236.90.209:443) Dec 21 16:35:32.000 [warn] 13 connections have
> failed: Dec 21 16:35:32.000 [warn]  13 connections died in state
> connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]
> Problem bootstrapping. Stuck at 85%: Finishing handshake with first
> hop. (Connection refused; CONNECTREFUSED; count 15; recommendation
> warn; host 500FE4D6B529855A2F95A0CB34F2A10D5889E8C1 at
> 134.19.177.109:443) Dec 21 16:35:32.000 [warn] 14 connections have
> failed: Dec 21 16:35:32.000 [warn]  14 connections died in state
> connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000 [warn]
> Problem bootstrapping. Stuck at 85%: Finishing handshake with first
> hop. (Connection refused; CONNECTREFUSED; count 16; recommendation
> warn; host 03DC081E4409631006EFCD3AF13AFAAF2B553FFC at
> 185.32.221.201:443) Dec 21 16:35:32.000 [warn] 15 connections have
> failed: Dec 21 16:35:32.000 [warn]  15 connections died in state
> connect()ing with SSL state (No SSL object) Dec 21 16:35:32.000
> [notice] Bootstrapped 90%: Establishing a Tor circuit Dec 21
> 16:35:33.000 [warn] Problem bootstrapping. Stuck at 90%: Establishing a
> Tor circuit. (Connection refused; CONNECTREFUSED; count 17;
> recommendation warn; host 1FA8F638298645BE58AC905276680889CB795A94 at
> 185.129.249.124:9001) Dec 21 16:35:33.000 [warn] 16 connections have
> failed: Dec 21 16:35:33.000 [warn]  16 connections died in state
> connect()ing with SSL state (No SSL object) Dec 21 16:35:33.000 [warn]
> Problem bootstrapping. Stuck at 90%: Establishing a Tor circuit.
> (Connection refused; CONNECTREFUSED; count 18; recommendation warn;
> host DAC825BBF05D678ABDEA1C3086E8D99CF0BBF112 at 185.73.220.8:443) Dec
> 21 16:35:33.000 [warn] 17 connections have failed: Dec 21 16:35:33.000
> [warn]  17 connections died in state connect()ing with SSL state (No
> SSL object) Dec 21 16:35:33.000 [notice] Tor has successfully opened a
> circuit. Looks like client functionality is working. Dec 21
> 16:35:33.000 [notice] Bootstrapped 100%: Done 
> 
> So - I get loads of CONNECTREFUSED whilst coming up (presumably because
> of the attack) and then come fully back online. 
IMO your tor searches for guards and they are under load, gone or lost
their guard flag. Finally you found a guard :)

[1]
https://lists.torproject.org/pipermail/tor-relays/2017-December/013839.html


-- 
Cheers, Felix

More information about the tor-relays mailing list