[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Lawsuit threat over (unlikely?) SYN flood

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] Lawsuit threat over (unlikely?) SYN flood
From: Formless Networking <formlessnetworking@xxxxxxxxx>
Date: Thu, 24 Feb 2011 21:09:31 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 24 Feb 2011 16:37:02 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=ohyYUNQze1Y3490QeAhUVaENvo920k4nxObN3BBdUr4=; b=hANT9RZWFhIEzjsBq9er9KEk7w7ZjbpNDJsovJR8nVyjZZHi0PjVVal/DU8+BlRFci TScYKP3ahfePX07x9N7L220ZmEX0RRpfvR71h51idjWTaS0OKlq8rMAgrCRqzYNCRGBw ROu2iP1QFfZvSg65fnsh6Hey2SmASfpigESbs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=LYA1UfB8wMjoM70IpIx5Rl1TjYR4o/TK8fFY6h8NZkuRHzzJ78xyqNq/DR5TwIzC6p ROMbx8jFC2aBxECHdEuwdurbDawL4cElQ3KlH/iX5iLd5yahQU9I/+mpCTw6JJ8jb4tn //Si1ht4fSaL/NyV5lj4cjt93EGS5PV4n3dYI=
List-archive: <http://lists.torproject.org/pipermail/tor-relays>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for support and questions about running Tor relays \(exit, non-exit, bridge\)." <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: "This mailing list is for support and questions about running Tor relays \(exit, non-exit, bridge\)." <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Sender: tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx

Just as a heads up, I got a curt, vague lawsuit threat the other day out of the blue. The guy claimed my node IP took down his (unmentioned) e-commerce sites for some unspecified period of time through a SYN flood. The sites that I could find associated with his email address appeared still up and functional.

Since SYN floods can be spoofed, and since Tor nodes don't really have the resource amplification that typically makes them effective, I'm assuming it's probably just someone who forgot to take their meds for a while and/or who is just making things up to try to chill our tor node off line.

Just in case, here is what I sent in response. If anyone else hears from this guy, feel free to copy and paste.

----------------------------

It seems very unlikely that what you pasted here is due to our Tor router (unless it has been compromised?).

Our node is not capable of transmitting SYN packets on behalf of users fast enough to actually do damage. It is rather expensive for a tor client to generate this type of traffic, and a couple forms of protection mechanisms are built in to the tor router flow control that slow this down. We would be very surprised if this attack actually came through our node, and actually brought down any of your services.

Unlike more direct attacks on your server at the application layer, SYN floods are possible to spoof. This packet could actually be coming from anywhere...

However, in either case, this attack should be simple to block. You can prevent the entire Tor network (not just our router) from sending you traffic by using this exported IP list to generate firewall rules to drop SYN packets: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4&port=80

If this is in fact a SYN flood attack, they may just switch spoofed source IPs on you, though, so an IP block is probably not what you want.

There are plenty of documents online that describe server parameters to help reduce the impact of this attack on your services, depending on your server OS. We recommend looking into them to better protect yourself and your customers.

Thanks

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Lawsuit threat over (unlikely?) SYN flood
  - From: Jim
- Re: [tor-relays] Lawsuit threat over (unlikely?) SYN flood
  - From: Olaf Selke

Prev by Author: Re: Ubuntu howto for CLI install of Tor relay?
Next by Author: Re: [tor-relays] Lawsuit threat over (unlikely?) SYN flood
Previous by thread: Re: [tor-relays] setting up a bridge - troubleshooting
Next by thread: Re: [tor-relays] Lawsuit threat over (unlikely?) SYN flood
Index(es):
- Author
- Thread