[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Overload (dropped ntor) due to DDoS??

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Overload (dropped ntor) due to DDoS??
From: lists@xxxxxxxxxxxxxxx
Date: Fri, 05 Aug 2022 16:42:55 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 05 Aug 2022 10:43:17 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=for-privacy.net; s=easymail; t=1659710583; bh=i9scZVFVA5EYCVu2LF/kITm8A0UuJApY9fBLeE6Fh5Y=; h=From:To:Subject:Date:In-Reply-To:References:From; b=bITyimIs3CBED+wq4wge4VfaUu3DB+Rm4nXa483z/cJ+86WvLZAw0OLLEi/kgCjac y0lXMDMbTD0NitJI12VHejczLPlAhwN0qSNk6onvLTOk9WHtf39klU6BFbxj5vtZgX /hg9ZISSU9egYnrtQjGcgokwveyUGWFnpvDFE/Ks3nJaJVONzqnrLq1Qu9Ao8FffiW HKxXllINqTJgeRKLU31H5u3AJ6NmQ2FfzVlmRtQ/yQIKjGxiqORcJblXCwAn5G/Y19 StPIE5C7MlQCX6yeYxkaQIeovlt38TsaywQGrzjLPuFa28UKFF0jWdf8oYMTksCUvg qUPoGhpOhb7FA==
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=for-privacy.net; s=easymail; t=1659710582; bh=i9scZVFVA5EYCVu2LF/kITm8A0UuJApY9fBLeE6Fh5Y=; h=From:To:Subject:Date:In-Reply-To:References:From; b=hFFXEqfnWMhOzo/3Kjsdr5Mr/SYJl6y6IuRCXvFXHrvTt7xEDjjbTtYFt/WRVJRNI WjHaXbZEpi2DBoy2UcRizgiIWeoHjbCuqXhEwku1SnezQdxcEsmqJPgnqt1eUZ/jFe FIX/fjNQ6iyUfRNx9oZN9clNamlyhoQAmegss0a3Mp3PYt1HywMpvbMkTBStDQKCLD 6qfhRl72cV1k4h2xwD3b4sa6o+OFiSfue6t5IzY/E8N85cbOUNyRRAjVs2nRluvtOE WkrRq7itr/llQQg1KayOuVstO+3yGGsUs/WjSR+Q/actiQ5ePc5iAZA46X9u+4YRz+ /PrbcE1IApIfA==
In-reply-to: <42572d72-009c-8f6a-3849-7d30669703d3@sky-ip.org>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <trinity-4b3b4886-7454-4249-8b20-57afe1292da0-1659606591843@3c-app-gmx-bap26> <42572d72-009c-8f6a-3849-7d30669703d3@sky-ip.org>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Friday, August 5, 2022 1:11:27 AM CEST s7r wrote:
> Richard Menedetter wrote:

> > I have a non exit relay running on a root server (4 AMD Epyc cores, 8 GB
> > RAM, 2.5 GBit/s Ethernet) I have limited tor to numcpus 2,
Why? Do you have other services on the server? Otherwise, omit num CPU. Let 
the tor daemon use all CPU's for crypto stuff.

> > relaybandwidthburst 15 MB, hardwareaccel 1, maxadvertisedbandwidth 10 MB,
> > maxmeminqueues 3GB
> 
> Thanks for running a relay!
> 
> didn't you also use RelayBandwidthRate along with RelayBandwidthBurst ?
> 
> 
> > 
> > Usually it takes less than 1 CPU core, and like 1 GB of RAM.
> > But recently my relay is foten shown as obverloaded.
> > I have these LOG entries:
> > Tor[814]: General overload -> Ntor dropped (290376) fraction 5.3451% is
> > above threshold of 0.5000%
> 
> You are not the only one, it's an ongoing DoS attack on the network, 
> targeting onion services.
> 
> 
> > 
> > Is this due to DDoS attacks or a misconfigration on my side?
> 
> 
> Besides the question above about RelayBandwidthRate I don't see anything 
> wrong.
> 
> 
> > Is there something that I can do to aleviate this issue?
> 
> 
> Nope, there is nothing you can do, unfortunately. Tor has some defenses 
> against DoS and will blacklist / mark the abusing addresses, etc. as 
> much as it can. But as you know DoS is a never ending battle, usually 
> won by having "larger pipe", and it's something hard to tickle in an 
> environment where anonymity is the grounding law.
> 
> What you can do is maintain your relay up and running in good shape with 
> the latest version of Tor until this "attack" gets through. As I said, I 
> guess most of relays are getting this at present times. The DoS "attack" 
> is not targeted at your relay, what you are seeing is just a side effect 
> of someone creating large amounts of circuits (heavy usage of Tor) which 
> is reflected network-wide anyways.
Sometimes 100.000-1.000.000 connections from one IP!
I block the worst with 2 nftables egress rules.

toralf has developed some smarter ddos scripts:
https://github.com/toralf/torutils


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Overload (dropped ntor) due to DDoS??
  - From: Richard Menedetter
- Re: [tor-relays] Overload (dropped ntor) due to DDoS??
  - From: Scott Bennett

References:
- [tor-relays] Overload (dropped ntor) due to DDoS??
  - From: Richard Menedetter
- Re: [tor-relays] Overload (dropped ntor) due to DDoS??
  - From: s7r

Prev by Author: Re: [tor-relays] Relays spamming my OR port
Next by Author: Re: [tor-relays] Relays spamming my OR port
Previous by thread: Re: [tor-relays] Overload (dropped ntor) due to DDoS??
Next by thread: Re: [tor-relays] Overload (dropped ntor) due to DDoS??
Index(es):
- Author
- Thread