[tor-relays] Disparity between download and upload traffic

teor teor2345 at gmail.com
Tue Jan 3 05:13:53 UTC 2017 

> On 27 Dec 2016, at 03:47, Gage Parrott <gcparrott at gmail.com> wrote:
> 
> Morning, everyone,
> 
> I recently migrated my bridge relay over to a VM and everything seems to be working fine except for one oddity.  I consistently see lines like this in tor's log file on the new machine:
> 
> Dec 25 23:48:14.000 [notice] Heartbeat: Tor's uptime is 4 days 5:59 hours, with 43 circuits open. I've sent 1.78 GB and received 28.37 GB.
> Dec 25 23:48:14.000 [notice] Heartbeat: In the last 6 hours, I have seen 2 unique clients.
> Dec 26 05:48:14.000 [notice] Heartbeat: Tor's uptime is 4 days 11:59 hours, with 105 circuits open. I've sent 1.87 GB and received 29.24 GB.
> Dec 26 05:48:14.000 [notice] Heartbeat: In the last 6 hours, I have seen 2 unique clients.
> 
> Notice the amount of data sent and received.  Can anyone think of why there would be such a large discrepancy between the amount of traffic downloaded versus uploaded?  This behavior persists after reboots, as well.
> 
> I thought maybe it was downloading a ton of directory data, but is there really a GB's worth of directory data to download every six hours??  Also, the logs on my old machine (pre-migration, one line pasted below for reference) indicated that nearly the same amount of data was being sent as was being received.  Any ideas on why would this have changed?
> 
> Dec 07 06:02:03.000 [notice] Heartbeat: Tor's uptime is 4 days 6:12 hours, with 78 circuits open. I've sent 33.71 GB and received 33.47 GB.
> 
> Any help is greatly appreciated.  Thanks a bunch and merry Christmas!

It looks like you have very few clients.
Perhaps those clients have switched to using interactive protocols?
Or, more precisely, perhaps those clients are sending almost-empty
cells, and then receiving back almost-full cells in response?
(This could be an amplification attack, or simply lots of downloads.)

On the other hand, your bridge could be repeatedly asking for directory
documents. If this is the case, we'd *really* like to know what is
causing the issue. Please send more logs, at info-level if possible.

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20170103/85cb5842/attachment.sig>

More information about the tor-relays mailing list