[tor-relays] can dirport be disabled on fallback directory?

starlight.2017q4 at binnacle.cx starlight.2017q4 at binnacle.cx
Sun May 20 16:52:59 UTC 2018

On May 20, 2018 10:08:17 UTC, gustavo <gfa at zumbi.xyz> wrote:
>On May 18, 2018 4:25:23 PM UTC, starlight.2017q4 at binnacle.cx wrote:
>>Lately seeing escalating abuse traffic on the relay dirport, now up to
>>20k rotating source IP addresses per week.
>How do you detect it?

FIRST: your relays are not impacted by this issue because
DirPort is disabled in their configuration.  So you can
stop reading here if you like.

>Will tor log it in the logs where I can look for
>it or do you monitor the TCP/IP stack ?
>I run two relays (milanese one of them) besides basic
>OS level monitoring I don't monitor much else.
>I wonder if I should monitor more or what to search for
>in logs (I run my relays without logs since I don't
>have an use for)

Simply perusing the /var/log/messages log lines for
the relay on occasion should be sufficient for most
operators.  The daemon will complain about many if
not all important problems.


For those with DirPort configured, one can check for the
problem by looking at the 'state' file with the command

   egrep '^BWHistory.*WriteValues' state

and calculating the percent BWHistoryDirWriteValues is
relative to BWHistoryWriteValues for the same samples.
Should be under 5%, more like 1-3%.  If 15% the attacker
is harassing your relay.

This particular abuse scenario can be mitigated by
applying an 'iptables -m limit' rule set to incoming
DirPort connection requests


by disabling DirPort in the config since clear-text
DirPort is no longer required for the Tor network to
function properly.  Those running FallBack directories
should probably send an update to this list if they
apply this change as I belive the FallBackDir script
excludes relays where ports differ from the whitelist
or have changed in OnionOO historical data.

More information about the tor-relays mailing list