[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another DirPort DoS attacker



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>      A short time ago, I found that 212.205.53.212 had several hundred open
> TCP connections to my tor server's DirPort, and very little relay traffic
> seemed to be getting past all of that.  I've now taken steps to prevent such
> connections from that IP address.  (That IP address has the hame
> sahrsmtp03.cosmote.gr.)  Other tor server operators may (or may not) wish to
> follow suit.

I'm running Tor-directory behind Apache's proxy_http so I can run
Tor-dir and Apache2 with ssl at port 443. Yesterday I noticed in the
logs that someone (e198212.upc-e.chello.nl - 213.93.198.212) had several
connections per second to dirport. That someone tried to use
CONNECT-method to connect several other servers. Server responded 500
every time (Internal error or something) but that would not stop the
dossing that had been going for hours. I'm not logging typical
connections to dirport, only odd ones.

I wrote a fail2ban-filter to catch him and others doing the same. I'm
not sure what attacker tried to gain with such method, attacks came
always from the same ip and ten connections per second isn't enough to
bring the server down. Also he could not get connection via
CONNECT-method anywhere through the http_proxy, he only got error messages.


M
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAki+U1UACgkQeaKwdrf2V0pOuQCeOahyhK55ll5d1rBmfJEpTB6i
xOIAn3U/Zbj1DMvs5iGp9DQg3WNtisHk
=SoHD
-----END PGP SIGNATURE-----