[tor-relays] anyone else with this issue?
niftybunny
abuse-contact at to-surf-and-protect.net
Tue Aug 25 19:35:08 UTC 2020
No clue what they are doing, but they max out the Exist with 100% CPU load and do not transport a lot of traffic:
https://imgur.com/a/NzpE69B <https://imgur.com/a/NzpE69B>
Around 16-21 there should be more traffic and this was DDOS time.
I am 100% sure its not bogus traffic just send to my IPs to max out my uplinks, because:
https://www.peeringdb.com/net/22652 <https://www.peeringdb.com/net/22652>
you need at least 120 gigabit to kill my uplinks.
I love dull, I love dull sooooo much. I want to marry dull.
nifty
> On 25. Aug 2020, at 21:20, Roger Dingledine <arma at torproject.org> wrote:
>
> On Tue, Aug 25, 2020 at 06:49:01PM +0000, John Ricketts wrote:
>> I as well.
>>
>> On Aug 25, 2020, at 13:45, niftybunny <abuse-contact at to-surf-and-protect.net> wrote:
>>
>> ?Daily DDOS love the last 14 days ...
>
> Hi! Can you provide more details? From Nifty's picture it looks like
> they are full TCP connections? Do you have a sense of what do they do
> when they connect?
>
> And that would mean that they *aren't* packet-level ddoses, i.e. the
> "I fill up your network connection with packets so no other packets can
> get through" kind?
>
> One of the strange things about working with things at the scale of the
> Tor network is that sometimes the combined behavior of many Tor processes
> can look like a DDoS. For example, maybe all of these connections come
> from out-of-date Tors that are now behaving bizarrely since the network
> now doesn't work the way their old logic expects.
>
> We've also seen what looks like DDoS attempts on the directory
> authorities, but on closer examination they are some alternative Tor
> implementation that is running on many thousands of computers and is
> fetching Tor consensus documents in a way that isn't sustainable:
> https://gitlab.torproject.org/tpo/core/tor/-/issues/33018
>
> There are also apparently some overloading attacks happening on some
> popular onion services currently, and I wonder if those are bleeding
> over into looking like many connections. Or, as we saw a few years ago
> when we added the "ddos defense subsystem" in Tor, the attacks didn't
> actually add much load, but it was when the onion services tried to scale
> up to tens of thousands of Tors, to be able to respond to every incoming
> rendezvous attempt, that those tens of thousands of Tors together looked
> like an attack on the network.
>
> So: the next step would be to try to learn more about what these
> connections look like, where they're coming from, what they're doing, etc.
>
> Also, if more people than just Nifty and John are seeing them.
>
> Never a dull moment,
> --Roger
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200825/37a93e0b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20200825/37a93e0b/attachment-0001.sig>
More information about the tor-relays
mailing list