[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: peculiar server "bandwidth" posted by server "mnl" and possible new type of attack



Hi all, I am the mnl's operator, 

On Tue, Sep 09, 2008 at 05:15:15AM -0500, Scott Bennett wrote:
> 
>      Nearly 49 MB/s seems a bit of a stretch.  The server's operator sent me
> a note saying that the server is attached to the 1 GB/s campus backbone net,
> but it is attached via a 100 Mb/s router, so the reported data rate is four
> to five times the rate physically possible due to the router's limitation.
> The server, according to its operator, is running on a 2.6 GHz P4, and its
> descriptor says the machine is running LINUX.  Based upon postings quite a
> while back from blutmagie's operator and from a few other operators of very
> high-data-rate servers, it seems to me that a 2.6 GHz P4 (Northwood?) running
> LINUX would not be capable of handling a load eight to ten times that of
> blutmagie, regardless of its network connection's capacity.

Confirmed.

Yes, it is a P4 step C, Northwood.

>      That brings us back to something I've already posted on OR-TALK, namely,
> the apparent slowdown in tor traffic that has reduced the traffic through my
> tor server by at least 30% and, judging from the reduced peaks shown for a lot
> of the high-volume servers listed on the torstatus page, the tor network at
> large.  If this is actually what has been going on, then not only should the
> bug be tracked down and killed ASAP, it serves as a call to rethink the method
> of circuit route selection to find ways to prevent a reduction-in-throughput
> attack that could be made by almost any creep by setting up a corrupted relay.
> (mnl is not even an exit.)

The fact of not being an exit node would make it a better corruped
relay? I mean, if I would like to DOS the Tor network I would be better
to set the trojan node as internal?

>      (deep breath) I want to state right now that I do not in any way
> whatsoever suspect mnl's operator of any nefarious activity.  I believe that
> he is at least as perplexed over his server's behavior as I am, especially
> given other information he provided about events over the weekend.  I do not

What happened this weekend is that I have not been able to reach that
box. Anyway now I recall clearly why I had the impression that it was
alive. Indeed ssh did received something from it, it could not complete
the login in for other reasons. Being the box hosed by Tor, I can now
guess the sshd daemon was only very slow.

Regards,
Domenico

-----[ Domenico Andreoli, aka cavok
 --[ http://www.dandreoli.com/gpgkey.asc
   ---[ 3A0F 2F80 F79C 678A 8936  4FEE 0677 9033 A20E BC50

Attachment: signature.asc
Description: Digital signature