[tor-relays] Overload (dropped ntor) due to DDoS??

Richard Menedetter ricsi at gmx.at
Fri Aug 5 09:25:53 UTC 2022 

Hi

Thanx for the explanation.
I have 0.4.7.8 and try to run the latest version.

So it seems the overload is entirely due to the DDoS and not my config.
I have removed the maxadvertised bandwidth limit, it will now again send the measured value instead of being limited to 10 MB.

I have these limits:
RelayBandwidthRate 15 MB
RelayBandwidthBurst 30 MB
BandwidthRate 50 MB
NumCPUs 2
MaxMemInQueues 3072 MB

CU, Ricsi

> Gesendet: Freitag, 05. August 2022 um 01:11 Uhr
> Von: "s7r" <s7r at sky-ip.org>
> An: tor-relays at lists.torproject.org
> Betreff: Re: [tor-relays] Overload (dropped ntor) due to DDoS??
>
> Richard Menedetter wrote:
> > Hi All
> >
> > I have a non exit relay running on a root server (4 AMD Epyc cores, 8 GB RAM, 2.5 GBit/s Ethernet)
> > I have limited tor to numcpus 2, relaybandwidthburst 15 MB, hardwareaccel 1, maxadvertisedbandwidth 10 MB, maxmeminqueues 3GB
>
> Thanks for running a relay!
>
> didn't you also use RelayBandwidthRate along with RelayBandwidthBurst ?
>
> >
> > Usually it takes less than 1 CPU core, and like 1 GB of RAM.
> > But recently my relay is foten shown as obverloaded.
> > I have these LOG entries:
> > Tor[814]: General overload -> Ntor dropped (290376) fraction 5.3451% is above threshold of 0.5000%
>
> You are not the only one, it's an ongoing DoS attack on the network,
> targeting onion services.
>
> >
> > Is this due to DDoS attacks or a misconfigration on my side?
>
> Besides the question above about RelayBandwidthRate I don't see anything
> wrong.
>
> > Is there something that I can do to aleviate this issue?
>
> Nope, there is nothing you can do, unfortunately. Tor has some defenses
> against DoS and will blacklist / mark the abusing addresses, etc. as
> much as it can. But as you know DoS is a never ending battle, usually
> won by having "larger pipe", and it's something hard to tickle in an
> environment where anonymity is the grounding law.
>
> What you can do is maintain your relay up and running in good shape with
> the latest version of Tor until this "attack" gets through. As I said, I
> guess most of relays are getting this at present times. The DoS "attack"
> is not targeted at your relay, what you are seeing is just a side effect
> of someone creating large amounts of circuits (heavy usage of Tor) which
> is reflected network-wide anyways.
>
> >
> > CU, Ricsi
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>

More information about the tor-relays mailing list