[tor-relays] DoS attacks -- status update

Georg Koppen gk at torproject.org
Fri Oct 28 15:06:47 UTC 2022 

Hello everyone!

It's been a while since we last provided some update on this mailing 
list about our ongoing work fighting several DoS attacks.

We can use the attached graph about detected overload over the last 
couple of months to show what is going on and what we do/plan to do 
about it.

The first noteworthy incident on that graph is the sharp rise in 
overloaded non-exit nodes since the middle of July caused by a drop of 
onionskins[1] which the relay's available CPU/memory can't handle 
anymore. There are currently two ideas we are working on to cope with 
such a flood of onionskins:

1. Developing a Proof of Work (PoW) system to has a rate-limitation knob 
rejecting the load of onionskins while letting legitimate ones 
through.[2] We still need to solve some design issues (feel free to 
help!) but hope to have that feature integrated into Tor soon.

2. Relay operators started to experiment with iptables/nftables rules 
and having the right ones available might be a good stopgap approach 
against the onionskin related DoS. We are coordinating that effort[3], 
so we have something available to propose to the wider community, which 
is kept up-to-date and limits the risks of traffic overblocking. Feel 
free to help as well with that effort.

The other noteworthy incident started around September 13 when exit 
nodes began to get overloaded (while the other DoS was and is still 
ongoing). Unfortunately, that exit related DoS is heavily impacting our 
users' experience as can be seen in our OnionPerf data[4]. While we are 
still investigating the nature of that DoS attack it turns out that 
blocking particular IP addresses with ExitPolicy rules seems to help on 
exit nodes this is tested on. The Artikel10 exit node operators provided 
even a script recently[5] to help with that (much appreciated, thanks!). 
This approach is highly experimental at this point and it might help us 
at least to come up with an actual design idea to counter that 
particular exit DoS.

Thanks,
Georg

[1] For information about overload in general and what "drop of 
onionskins" means, see: 
https://support.torproject.org/relay-operators/#relay-bridge-overloaded. 
It contains as well a guide on how to enable MetricsPort monitoring 
yourself so you see the actual metrics of your own relay.
[2] https://gitlab.torproject.org/tpo/core/tor/-/issues/40634
[3] https://gitlab.torproject.org/tpo/community/support/-/issues/40093
[4] https://metrics.torproject.org/torperf.html
[5] 
https://lists.torproject.org/pipermail/tor-relays/2022-October/020848.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: overload-general-relays-0510-1027.png
Type: image/png
Size: 82127 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20221028/1fb9574c/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20221028/1fb9574c/attachment-0001.sig>

More information about the tor-relays mailing list