[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor load averages, openssl performance and misc related questions -amd64-freebsd



     On Tue, 24 Nov 2009 11:40:00 -0500 Mike L <jackoroses@xxxxxxxxx>
wrote:
>I just recently started running an exit node (newbie) on a vps and have a
>few questions that I didn't seem to find googling.
>
>I am running tor-devel-0.2.2.5.alpha with
>openssh-portable-overwrite-base-5.2.p1_2,1 and privoxy 3.0.12 (plus fail2ba=

     Is openssh-portable-overwrite-base-5.2.p1_2,1 relevant in some way here?
tor now uses openssl-0.9.8l, but I don't know of any reason for it to use any
version of openssh.

>n
>python25) on freebsd 7.2 amd64 on a quad core 2.4 ghz c2d VPS
>
>The one issue that I'm a little perplexed on and I'm not really sure what i=
>t
>can be is my load averages. Nothing is running on the machine except what i=
>s
>required to run Tor.
>sendmail and bsnmpd does run but those processes couldn't account for the
>loads..
>An example is  1 user, load averages: 1.32, 0.81, 0.79
>The nic on the machine is re0 and I have enabled device polling in the
>kernel.
>The machine is pushing anywhere from 1-2.~ MB/s
>I understand the load will increase with the traffic yet these load avg's
>seem pretty high for that amount of traffic.  No errors are given about
>running out of open sockets and their is plenty of openfiles overhead for
>the system as well.
>I'm not sure if this is to be expected or if I can tune this VPS to ease th=
>e
>load a little more?
>My fbsd machine (7.2 amd64) here at home doesn't exhibit the same load when
>I hammer the network interface but it's a different nic and isn't a VPS..
>This all may be normal (load avg) but since this is the first time I am
>wading in the pool I thought I'd ask if anyone can confirm this is to be
>expected or if I should tune another system variable to try and lower my
>loads more.

     I'm not sure either, but it may well be normal.  My guess is that you
see fairly low CPU utilization at the same time, right?  Remember that load
averages are just the average numbers of processes in the run queue at the
instants sampled during the last minute, five minutes, and fifteen minutes.
They have little direct relation to CPU usage.

>Maybe relevant or not yet;
>I read one of the operators (blutmagie?) compiled openssl with icc and they
>saw some performance gain but it seems icc will not install on the amd64
>platform. I was curious to try that though. If there is some compiling
>options on the amd64 platform I can try I would be willing.

     Interesting.  You paid for it, downloaded it into /usr/ports/distfiles,
and then the installation via portmaster/portinstall failed?  If so, then
try posting to freebsd-ports@ or to the port maintainer for that port.  (You
do need to buy a license from Intel before you can install it.)
>
>Next; I am curious about privoxy, does anyone have it configured with their
>ip
>in the listen address or do they leave it as 127.0.0.1?
>listen-address 127.0.0.1:8118
>I would like to be able to connect to the machine directly myself, to hop
>onto the tor network,
>and this seems the place to do so. What vulnerabilities does one open up
>though by allowing anyone to connect to that? It's chained to Tor but again
>I'm not sure if that is such a good idea or not to open it. ( I originally
>had it configured to my machine ip and I could indeed connect to the Tor
>network but changed it back until I could hear feedback on this)

     I haven't done that, but it seems to me that if you use a private network
address with no NAT/RDR rules for it in your gateway, then it shouldn't be a
problem.  If you're really worried, of course, then you could add another
ipfw rule to block access from outside.
>
>One last question is..
>Is it normal for Tor nodes to get hammered with this in their web logs?
>client sent invalid method while reading client request line,
>"^SBitTorrentprotocol^@^@^@^@^@^P^@^EE=C0E=EDT+A=B0^U^R"
>I recorded over 2k of these hits in the first hour Tor was running. When I
>initially ran Tor
>I wasn't getting these, when I first logged into the VPS I wasn't getting
>these, I can't quite give an exact time frame when these started happening
>but it wasn't long after I had Tor running for about an hour and than these
>started coming and haven't stopped.

     What was your choice of ORPort?  Was it a port number commonly used by
BitTorrent clients?  Are the requests all coming from one IP address that
you could easily block?

>I actually shut down the web server because of the loads I'm currently
>experiencing and didn't want a connection every 3 seconds of this garbage.
>I understand people will run torrents through Tor but this doesn't seem to
>be the case, it appears that this VPS IP somehow was tied into a seed box
>somewhere at some time.
>Maybe it is an exploit and now that the IP is live everyone in china is
>trying for a fresh piece of meat..

     I keep net.inet.tcp.blackhole=2 in /etc/sysctl.conf to discourage
port scanners and other miscreants. :-)  More recently, I've added a generic
block rule with logging to my pf rules, and I've started keeping a window
open with a running display of the output in order to get a clearer picture
of where such stuff comes from.  As it happens, well over half of the blocked
connections do come from China, but the rest are from locations scattered
around the rest of the world.  Most of the attempts come from repeat offenders.
Because the SYN packets are blocked, the rest get dropped automatically without
logging.
>
>Here is some output, this is mostly httpd with some sshd connections thrown
>in.
>The bulk of these came in the first 15 minutes of the server starting and
>the web server automatically running before I could shut it down.
>ipfw show | grep 400 -c (400 being the rule for all of these connections)
>3311
> uptime
>11:14AM  up 18:38, 1 user, load averages: 0.60, 0.82, 0.82
>
>now here are some numbers when I start the web server back up in
>comparison..
> ipfw show | grep 400 -c
>3482
> uptime
>11:30AM  up 18:54, 1 user, load averages: 1.48, 0.97, 0.87
>those 100 extra bans all came in the whole 1:30 of running the server.
>
>That's all that I can think of for now that I have been wondering about for
>the last few days.
>
     Sorry I can't address more than I have above.  Best of luck with it.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************