[tor-relays] Relay DDoS attack?

[Peter Rogers]

Hi!

I've been running a Tor non-exit node at my business for a few months now.
So far it's been great! Except yesterday when I noticed my internet was at
a crawl. I traced the problem back to a large number of inbound connections
that completely overwhelmed my little router. (4096 connections, the
configured limit) All the connections were being made to my tor relay from
outside IPs. The tor log file was filling with this:

Oct 13 14:21:29.000 [warn] assign_to_cpuworker failed. Ignoring.
Oct 13 14:21:29.000 [warn] assign_to_cpuworker failed. Ignoring.
Oct 13 14:21:30.000 [warn] Your computer is too slow to handle this many
circuit creation requests! Please consider using the MaxAdvertisedBandwidth
config option or choosing a more restricted exit policy. [1779 similar
message(s) suppressed in last 60 seconds]

I shutdown the relay, then eventually disconnected my internal network from
the router hoping the traffic would slow. It continued for maybe another
2-3 hours until I finally unplugged the router and left for the weekend.

I was able to capture some of the traffic and found most of it originated
from other tor (non-exit) relay nodes. In a 5 minute sample there was some
170,000 syn packets sent by some 4000+ unique IPs. I used a script to check
the collected IPs against the list of known tor nodes and they're almost
all tor (non-exit) relays.

Hopefully it auto-fixes itself when I'm back at work Monday morning. But
mostly I'm curious to know what's going on. Anybody encounter a situation
like this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171014/764846d4/attachment.html>