[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

possible DoS attack?



     In the last couple of days, I've noticed my tor server maxing out the
transmit side (~110-~115 KB/s) of my ADSL while typically using <10 KB/s of
the receive side, usually for long periods of time.  Curious about this oddity,
I began looking at netstat output more frequently to see what was up.  What I
found that seemed out of the ordinary was many dozens of connections to my
directory mirror port from 83.103.38.65 (fastweb65.ietnet.net), most with
32 KB or more in the output queue for the ethernet interface.  Occasionally,
these mostly go away for a while, and the transmit rate begins to fluctuate
more normally between <10 KB/s and, say, 60 KB/s, as traffic begins to adapt
to the increase in available bandwidth.  Often these breaks in the demand by
fastweb65.ietnet.net last no more than a couple of minutes before
fastweb65.ietnet.net resumes connecting and demanding directories at its
previous pace.
     83.103.38.65 does not appear in my cached-consensus or cached-descriptors*
files, so these are not simply tunneled directory connections from random
sites getting funneled through one tor server in Italy.
     Can anyone tell me whether this is legitimate activity or whether I should
begin blocking it at my router to encourage it to go away?


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************