[tor-relays] Server under attack according to my hoster

William Kane ttallink at googlemail.com
Fri Jan 22 19:56:34 UTC 2021 

I get around 6-8k PPS on my node pushing around 65-70MBit/s - 450k
seems (very) excessive even though your node has 6 times the capacity
and load of my node.

I constantly see other relay operators complaining about D(D)oS
attacks on this mailing list, so this could be a legitimate attack.

Could you use iptraf to check for a single offender sending lots of packets?

iptraf wouldn't really help if the attack is distributed across
thousands of different source addresses but if there's only a few,
obvious offenders ask the Hetzner support team to block these
addresses before being routed to your server, they have a system
similar to OVH's VAC so maybe that is already taking care of it.

However, traffic reaching your server shouldn't be filtered all the
time as there is a (sometimes not so) small amount of false-positives
which also get blocked.

I had this issue while I still hosted a node at OVH, during an attack
legitimate clients / nodes would get blocked as well, and node traffic
dropped from it's usual 14MB/s to below 9MB/s.

Quote from their page:

"Our automated system recognizes almost all attack patterns in
advance, allowing it to block the attacks and effectively thwart the
vast majority of them."

It is enabled by default for every customer it seems.

A bit off-topic, but consider changing your host to a very unpopular
one - Hetzner hosts almost 10% of all Tor nodes.

Network variety is very important.

William

2021-01-22 17:04 GMT, lists.torproject.org at stein-io.de
<lists.torproject.org at stein-io.de>:
> Hi folks,
>
> I have a dedicated Server running with the red H in Germany.
> https://metrics.torproject.org/rs.html#details/1CD48F4ED0F1821FFBF1940802A13EEFD4C27502
>
> Today I received a notification that my server is "under attack" since
> my server got over the threshold of 300k packets/s. At the time of the
> mail it seems to be about 450k pps .
>
> I checked a couple of IPs and most of them are other TOR-Relays or Exits.
>
> Would you recommend telling my Hoster that everything is all fine?
>
> Cheers
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>

More information about the tor-relays mailing list