[tor-relays] 1 circuit using 1.5Gig or ram? [0.3.3.2-alpha]

[Stijn Jonker]

Hi all,

So in general 0.3.3.1-alpha-dev and 0.3.3.2-alpha running on two nodes 
without any connection limits on the iptables firewall seems to be a lot 
more robust against the recent increase in clients (or possible [D]DoS). 
But tonight for a short period of time one of the relays was running a 
bit "hot" so to say.

Only to be greated by this log entry:
Feb 12 18:54:55 tornode2 Tor[6362]: We're low on memory (cell queues 
total alloc: 1602579792 buffer total alloc: 1388544, tor compress total 
alloc: 1586784 rendezvous cache total alloc: 489909). Killing circuits 
withover-long queues. (This behavior is controlled by MaxMemInQueues.)
Feb 12 18:54:56 tornode2 Tor[6362]: Removed 1599323088 bytes by killing 
1 circuits; 39546 circuits remain alive. Also killed 0 non-linked 
directory connections.
Feb 12 19:04:10 tornode2 Tor[6362]: Your network connection speed 
appears to have changed. Resetting timeout to 60s after 18 timeouts and 
1000 buildtimes.

So 1 Circuit being able to claim 1,5 gig or ram, now this seems a big 
much. Whilst the DoS protection seems to do something (see below). Now 
this could be a new attack or just an error etc. However wouldn't some 
sort of fair memory balance between circuits be an other mitigation 
factor to consider? Not saying it should be as strict as "circuit 
memory"/"# of circuits" but 99.x% of memory for one circuit feels wrong 
for a relay.

Feb 12 13:58:34 tornode2 Tor[6362]: DoS mitigation since startup: 910770 
circuits rejected, 10 marked addresses. 25972 connections closed. 324 
single hop clients refused.
Feb 12 19:58:34 tornode2 Tor[6362]: DoS mitigation since startup: 
1222320 circuits rejected, 12 marked addresses. 33359 connections 
closed. 402 single hop clients refused.

Thx,
Stijn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180212/0068cf31/attachment.html>