[tor-relays] Massive CPU load on high capacity guard node

Fri Nov 19 21:48:42 UTC 2021

First of all, thank you very much for your response!

> This is normal, HSDir flag is always gone after reboot or restart. Other flags
> remain after reboot or restart.
I know, it wouldn't even bother me if I lost the Guard flag.
The Tor network can decide whatever it want's to use my relay for.

> Many VMs with 1G are still throttled. You share the server bandwidth with all
> other VM customers.
This one is not. The hoster sells this machine as a "Root Server", it's actually
connected to a 2,5Gbit link. The 1Gbit speed is guaranteed, and before I
set up the relay I made multiple speed tests - I definitely get 1Gbit.

>> The problem is that I'm now relaying traffic at ~25MB/s, and whenever there
>> are spikes of over 30MB/s the CPU load on both cores (!) is very high. I'm
>> still moving ~5TB per day, that's a lot, I know. But there would be even
>> more possible with the internet connection of my server.

>~5TB per day ≈ 150 TB/month
> You usually don't even get that on a dedicated bare metal root server that
> costs $ 30-100 a month. One of my hosters limited bandwith to 300Mbit after
> 10TB of traffic.
I paid close attention to any limit rules, and there is one. But I'm unable
to break this rule: They limit my bandwith to 200Mbit when I used more than
120TB of traffic within one month and at the same time (!) used more than
1Gbit bandwith on average (!) for more than 60 minutes. I set
MaxAdvertisedBandwith to 1000Mbit, so I will never get throttled by the
hoster.

> Uh, welcome to the club. ;-)
> Because of DDoS, I have had 40 cores at around 90% for weeks. Until 3 weeks
> ago the ixgbe driver was killed every 2-3 days. I hope I have solved the
> problem now.
Yeah, and this wasn't even a DDoS. If don't change my config then it's pretty
easy to shoot my server off the internet with a low scale DDoS. And we
both know they do this, especially with high capacity Guard nodes...
I secured the server as good as I could before it went online, but there is no
real DDoS protection in place, and it seems I need it.

> The old stuff from their github?
> I would delete them again. You are in a VM and the torservers.net sysctl.conf
> settings are over 10 years old!
The old stuff from this mailing list. But you're right, that stuff was from 2010,
I will revert back to normal.

> I have iptables persistent on my guard servers. Sample rules:
> https://github.com/boldsuck/tor-relay-bootstrap/tree/master/etc/iptables
Thank you, I'll give that a try!

> If set, we will not advertise more than this amount of bandwidth
> for our BandwidthRate. Server operators who want to reduce the
> number of clients who ask to build circuits through them (since
> this is proportional to advertised bandwidth rate) can thus reduce
> the CPU demands on their server without impacting network performance
This will be my next step if the iptables rules have no effect.
At the moment I advertise 125 MiB, this is obviously very optimistic...
I have by far the fastest relay at this hoster in terms of bandwith, but
that's nothing to be proud of if the relay crashes or is overloaded all
the time.

Thanks again for your suggestions!

All the best!
Elias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20211119/e7be5461/attachment.htm>