[tor-relays] Log warning : possible (zlib) compression bomb on middle relays

Paul Geurts paulus at pollekeg.com
Mon Nov 2 20:42:20 UTC 2020 

same here,

my 4 relays (guards) all had this log entry, with one of them the log
entries are spread over a quarter of an hour (2 tor instances runnnig on
this one):
(this one is on Central European time zone, CET)

Nov  2 05:15:22 : Possible compression bomb; abandoning stream.
Nov  2 05:15:23 : message repeated 2 times: [ Possible compression bomb;
abandoning stream.]
Nov  2 05:16:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:16:21 : Possible compression bomb; abandoning stream.
Nov  2 05:17:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:17:21 : Possible compression bomb; abandoning stream.
Nov  2 05:19:21 : message repeated 5 times: [ Possible compression bomb;
abandoning stream.]
Nov  2 05:19:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:19:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:20:21 : Possible compression bomb; abandoning stream.
Nov  2 05:22:21 : message repeated 4 times: [ Possible compression bomb;
abandoning stream.]
Nov  2 05:22:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:22:21 : Possible compression bomb; abandoning stream.
Nov  2 05:23:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:23:21 : Possible compression bomb; abandoning stream.
Nov  2 05:23:21 : Possible compression bomb; abandoning stream.
Nov  2 05:24:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:24:21 : Possible compression bomb; abandoning stream.
Nov  2 05:24:21 : Possible compression bomb; abandoning stream.
Nov  2 05:25:21 : Possible compression bomb; abandoning stream.
Nov  2 05:26:21 : message repeated 3 times: [ Possible compression bomb;
abandoning stream.]
Nov  2 05:26:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:26:23 : Possible compression bomb; abandoning stream.
Nov  2 05:27:21 : Possible compression bomb; abandoning stream.
Nov  2 05:29:39 : Possible compression bomb; abandoning stream.
Nov  2 05:29:44 : message repeated 3 times: [ Possible compression bomb;
abandoning stream.]




gr. Paul


On Mon, Nov 2, 2020 at 9:28 PM Chris Dagdigian <dag at sonsorol.org> wrote:

> Same on my US exit relay:
>
> Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream.
> Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream.
>
>
>
>
> Christoph Graf <christoph at links-nett.ch>
> November 2, 2020 at 11:59 AM
>
> Same here on my bridge:
>
> Nov  2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning
> stream.
> Nov  2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning
> stream.
>
> Time is UTC+1, nothing before and after
>
> Cheers, Christoph
> On 02.11.20 11:05, Guinness wrote:
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> Guinness <guinness at crans.org>
> November 2, 2020 at 5:05 AM
> Hi all,
>
> We are at least 3 users running middle relays from 0.4.4.5 and after having
> some logs like those :
> ```
> Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream.
> Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.
> ```
>
> I'm wondering if this is an attack or a new feature (haven't checked
> yet) but I'd like to know how many users are impacted.
>
> The interesting informations are :
> * Number of warnings
> * What kind of relay it is (middle, exit, entry)
>
> After your answers, I'll complete the issue I have opened on the bug
> tracker.
>
>
> Cheers,
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20201102/74913541/attachment.htm>

More information about the tor-relays mailing list