[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] max TCP interruption before Tor circuit teardown?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] max TCP interruption before Tor circuit teardown?
From: Dan Staples <danstaples@xxxxxxxxx>
Date: Sun, 03 Nov 2013 11:52:52 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 03 Nov 2013 11:55:14 -0500
In-reply-to: <527678F6.6080507@xxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <E1VcMIs-0005t3-HM@xxxxxxxxxxxxxxxxxxxxx> <52766B5D.8010502@xxxxxxxxx> <527678F6.6080507@xxxxxxxxxxxx>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0

I am also running on a Pi Model B, 512MB RAM. How are you logging SYNs?

On Sun 03 Nov 2013 11:25:26 AM EST, Gordon Morehouse wrote:
> ********* *BEGIN ENCRYPTED or SIGNED PART* *********
>
> Dan Staples:
>> This morning I got my first Tor traffic flood since upgrading to
>> 2.4.x. Logs didn't say anything about not being able to handle the
>> amount of circuit creation requests, but it showed a 200x increase
>> in active TAP circuits (~400k/hour) and the traffic pattern is the
>> same: Advertising 100kb bandwidth, but slammed with ~2Mb traffic.
>>
>> When I saw it, I checked my relay's flags, and it has the stable
>> flag, and has been tagged stable for at least 3 days. It's been up
>> for 7 days.
>>
>> I would love to contribute data to help correlate w/ your findings
>> Gordon. Any metrics or logs that would be particularly helpful? I
>> currently use NTop to measure traffic, but it's not very granular.
>
> I'm still trying to scratch together enough time to analyze the logs
> from the two floods I caught as they began in the past 10 days or so.
>  One thing I am logging, which you're definitely not, is hosts that
> send SYNs above the limit on my Raspberry Pi.  Are you running on a
> slow machine or a VPS or what?  That might not apply to you if you're
> not running on a slow machine - you may have no need to limit SYNs or
> anything else, and that's probably the case if your relay did not
> crash as a result of the flood.
>
> During my last two floods, the relay survived the first (poorly, with
> fail2ban becoming useless and chewing up half the CPU), and was
> headshotted by the second - crash in less than 5 minutes.
>
> I'm looking forward to getting the data together and providing a
> report for the community, but time ... my kingdom for the time to do
> anything beyond work, sleep, eat, sh*t.
>
>> I also currently don't use any iptables rules to throttle, but am
>> happy to experiment with that if you want me to try out any
>> particular configurations.
>
> Depends on the capacity of your hardware.  All my experimentation has
> to do with low-end ARM boards, so the logs most useful to the report
> *I* am planning to prepare on these events are logs of SYN exceeds,
> and fail2ban logs.
>
> Thanks very much for staying up to date and offering to contribute -
> there is a real problem someplace, but it seems to be mostly a Problem
> with a capital P for low-end hardware with 512MB physical RAM, since
> those are the relays likely to actually crash as a result of the floods.
>
> Best,
> -Gordon M.
>
>
>>
>> Dan
>>
>> On 11/01/2013 05:30 PM, Gordon Morehouse wrote:
>>> huh, well, near as I can tell, I didn't get Stable for any time
>>> represented yesterday (2013-10-31) for the node VastCatbox.
>>>
>>> So maybe that theory is incorrect.  In that case I don't know
>>> what would trigger the SYN flood behavior other than Roger's idea
>>> about becoming an introducer for a popular HS, but... eh... seems
>>> like a stretch, a node offering 2.5Mbps that isn't flagged
>>> Stable?
>>>
>>> -Gordon
>>>
>>> On Fri, 1 Nov 2013 13:10:17 +0100, David Serrano
>>> <tor@xxxxxxxxxxxx> wrote:
>>>
>>>> On 2013-10-31 10:04:02 (-0700), Gordon Morehouse wrote:
>>>>>
>>>>> I can't verify it, but my suspicion is this is happening when
>>>>> I get my Stable flag (I have no idea if I'd gotten it back
>>>>> this morning or not) or shortly thereafter.
>>>>
>>>> You can use https://metrics.torproject.org/relay-search.html
>>>> and enter your IP address to figure that out.
>>>>
>>>>
>>>> -- David Serrano GnuPG id: 280A01F9
>>>> _______________________________________________ tor-relays
>>>> mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>>>
>>>
>>>
>>>>
> _______________________________________________
>>> tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>>
>
>
>
> ********** *END ENCRYPTED or SIGNED PART* **********
>
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>


--
http://disman.tl
OpenPGP key: http://disman.tl/pgp.asc
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] max TCP interruption before Tor circuit teardown?
  - From: Gordon Morehouse

References:
- Re: [tor-relays] max TCP interruption before Tor circuit teardown?
  - From: Gordon Morehouse
- Re: [tor-relays] max TCP interruption before Tor circuit teardown?
  - From: Dan Staples
- Re: [tor-relays] max TCP interruption before Tor circuit teardown?
  - From: Gordon Morehouse

Prev by Author: Re: [tor-relays] max TCP interruption before Tor circuit teardown?
Next by Author: Re: [tor-relays] Huge harrassment by Irdeto and IP-Echelon, 83 mails, in 2 weeks, need your help
Previous by thread: Re: [tor-relays] max TCP interruption before Tor circuit teardown?
Next by thread: Re: [tor-relays] max TCP interruption before Tor circuit teardown?
Index(es):
- Author
- Thread