[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another seeming attack on my server's DirPort



On Dec 19, 2007 12:46 AM, Scott Bennett <bennett@xxxxxxxxxx> wrote:
    A little while ago, I added another filter rule to the router here to
stop an apparently endless, rapid-fire series of directory requests hitting
my tor server's DirPort from 125.35.9.66, which appears to be in China.  The
last time I reported this type of thing, you may recall, it came from a site
in Italy.  The symptom, like the last time, was that output rate on my
machine's main Ethernet interface was running steadily around the transmit
rate limit imposed by my ADSL line.  dig(1) shows:

; <<>> DiG 9.3.4-P1 <<>> -x 125.35.9.66 any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63929
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;66.9.35.125.in-addr.arpa.      IN      ANY

;; AUTHORITY SECTION:
9.35.125.in-addr.arpa.  10800   IN      SOA     ns.bta.net.cn. root.ns.bta.net.cn . 2006020501 28899 7200 604800 86400

;; Query time: 351 msec
;; SERVER: 66.225.32.4#53(66.225.32.4)
;; WHEN: Wed Dec 19 02:40:29 2007
;; MSG SIZE  rcvd: 96

    Is anyone else having this kind of trouble, regardless of the apparent
origin(s) of the attack(s)?  I don't mind legitimate requests for directory
service tying up all or nearly all of my available output bandwidth, but I
do object to morons conducting a DoS attack to keep others from getting
directory service from my tor servers directory mirror.  If others are also
finding their tor servers being hit like this, then perhaps we need to think
up an automated way to deny directory service to abusers in order to put a
stop to such activity.


                                 Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************


This is just a theory, no hard facts to back it up.
When I'm messing around with Tor's ControlPort, I've noticed that my Tor traffic just hangs until whatever I'm doing on the ControlPort stops.  There have been a couple of times where I do something very wrong on the controlport and Tor just "freezes" (does not route any traffic) until I close my connection with the ControlPort.   I'm wondering if the same is true for when someone is fetching descriptors from the DirPort?

Does Tor traffic "freeze" (not route traffic) until the Dirport completes its task?

Next guess...
If someone where to be attacking, oh say, a hidden service, and your node was the Introduction Point for that hidden service, then perhaps someone is trying to force the owner of the hidden service to choose a new introduction point.

What is the uptime of your node? 
Have you typically been running it for a long time?
If someone is DoSing your Dirport, why not just turn it off?

BTW, the SOA for your DIG request, ns.bta.net.cn (202.96.0.133), had a direct match on http://cryptome.org/nsa-ip-update13.htm
Just thought you should know...