[tor-relays] Pretty sure our exit was being synflooded

tor at t-3.net tor at t-3.net
Sun Nov 26 16:59:39 UTC 2017


 I spoke too soon, it seems - the exit is struggling again, with some 
time spent destroyed today.

As I look at what it's doing, it's clear that someone is relaying SYN 
packets to random ports and also random destination addresses that 
aren't even alive. The destination hosts and ports continually vary - 
it never hits multiple destinations on 1 port, and it does not hit 
multiple ports on 1 host. I presume it is an attack that is intended 
to degrade this relay's service quality, or otherwise more broadly, 
degrade Tor.

I'm going to reject a few more trojan listen ports, it might help but 
it isn't a real fix.

My thought btw was for Tor to rate-limit syn scanning activity between 
the client and the first onion router, with the function taking place 
in that first-hop router, not at the exit.





More information about the tor-relays mailing list