[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] CPU saturation attack/abuse

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] CPU saturation attack/abuse
From: Dhalgren Tor <dhalgren.tor@xxxxxxxxx>
Date: Sun, 4 Mar 2018 19:43:17 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 04 Mar 2018 14:43:37 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=ZNRpNZv1qQbZEurVYiKGsRYAanpDnD9V8KTB8I9GjwM=; b=OsCiGiRJMdaXaEBxYRIfTXoDK0tZOW89DiLV5qXbVtGHWKQd7hBfUFztZRtPDY4gYJ dasZZ1L+Gp6HA4KBSHpFql2WL+QUKcmANyXgtvReiO8wuk+9g0LrbdXN+vngTrMI3x3M jAxu6a2n5xTgs6udcISBC/v/yK+EoRrgfG/aSAe20TL6ymk98Uu4lFtUGu2m/hfLLmuR ZvjU3PLUM4c49Z0ltxWJtIvOgrmd8disBgcjp4/ePc/Dr36AWOdneBchs9hxjJV/ov5T 17/CtnvctE+RtOd8aohTKKbd9q/+u3Mv31k+k6jSb1arHB7LGdkcCgTWpCLcyYV96FXT lv6g==
In-reply-to: <4672f9f9-6ee2-04b9-4354-ad5f14285204@gmx.de>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <CAPQndoxyRPnPosL-b1gaBKDqu8ZT2sMRmME8cx4DLm92fjBPwA@mail.gmail.com> <4672f9f9-6ee2-04b9-4354-ad5f14285204@gmx.de>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Sun, Mar 4, 2018 at 7:06 PM, Toralf Förster <toralf.foerster@xxxxxx> wrote:
> On 03/04/2018 07:41 PM, Dhalgren Tor wrote:
>>  the main event-worker thread
>> going from a normal load level of about 30%/core to 100%/core and
>> staying there for about 30 seconds;
> I do wonder if this is just the normal behaviour when - IIRC correctly - consensus documents are compressed before sending.

No chance whatsoever.  Relay runs for months-on-end never exceeding
40% CPU.  Have seen the same or a similar attack, twice before I
believe under 0.2.9.14.  Just realized the ISP added some bugs to
their data graphs:  in this case _ingress_ traffic is 3-4% higher than
egress (they reversed the labels along with breaking long-term
historical).  Earlier observed a similar attack where _egress_ traffic
was 10-15% higher than ingress traffic.

What's interesting here is the crypto-worker threads are near zero
(normal) in contrast to circuit-extend attacks where the crypto
threads peg at 100%.  Did see one brief, intense crypto-
worker CPU spike today but it's not characteristic of this event in general.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] CPU saturation attack/abuse
  - From: Dhalgren Tor

References:
- [tor-relays] CPU saturation attack/abuse
  - From: Dhalgren Tor
- Re: [tor-relays] CPU saturation attack/abuse
  - From: Toralf Förster

Prev by Author: Re: [tor-relays] CPU saturation attack/abuse
Next by Author: Re: [tor-relays] middle relay connexions dropped in half
Previous by thread: Re: [tor-relays] CPU saturation attack/abuse
Next by thread: Re: [tor-relays] CPU saturation attack/abuse
Index(es):
- Author
- Thread