[tor-talk] Isolating a hidden service hit by DDOS

grarpamp grarpamp at gmail.com
Thu Nov 27 09:34:10 UTC 2014


On Wed, Nov 26, 2014 at 10:21 PM, Cyrus <cyrus_the_great at riseup.net> wrote:
> I have a problem involving a shared server hosting many hidden services.
> One of the hidden services is being attacked and this is causing the tor
> daemon to use 100% CPU. I am quite sure the attack is just a DDOS flood.
>
> What I can't seem to figure out is how to isolate which hidden service
> is being attacked so I can disable it. I have tried enabling the info
> log but it doesn't seem to contain the information I need. The debug log
> is a quagmire, and I don't know what to look for.
>
> Please tell me what to search for in the debug log.

If you are unable to use webserver logs to pull the onion from (vhost
by host header or tcp port), or no data is being sent, you could
probably watch control port with:
 usefeature extended_events
 usefeature verbose_names
 setevents circ
And look for lots of PURPOSE=HS* counts by onion.
And similar by descriptor id / onion in debug log,
rend-spec.txt doc in torspec.git may help with that.

Maybe we're golden... :)
btc:1BubrXURMMEtzNNzhifNRpnxwUPANGeSR


More information about the tor-talk mailing list