[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Pretty sure our exit was being synflooded

To: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-relays] Pretty sure our exit was being synflooded
From: tor@xxxxxxx
Date: Sun, 26 Nov 2017 11:59:39 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 26 Nov 2017 11:59:57 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t-3.net; s=default; t=1511715584; bh=CklkYJ/OE3inxBU5SrmyC3lSdmRYQgJ7hBQqxxbuzgU=; h=From:To:Subject:Date; b=RftCGdD/qXWc2iGWYtbQfRtaDtrDNTdojLYbXWRVl3YTu88DXiHqMsE35+BG1dJB4 4iB03ByCybmUU95RU0NlrvB0LpZBO79ZhNneZ/zp+ta/z5BXwU9bCIdJHVLiIjwxMN oYI73ZmYTY62ZJkef7N9PZYEhGZ/M+Lcga2mPuXo=
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

I spoke too soon, it seems - the exit is struggling again, with sometime spent destroyed today.

As I look at what it's doing, it's clear that someone is relaying SYNpackets to random ports and also random destination addresses thataren't even alive. The destination hosts and ports continually vary -it never hits multiple destinations on 1 port, and it does not hitmultiple ports on 1 host. I presume it is an attack that is intendedto degrade this relay's service quality, or otherwise more broadly,degrade Tor.

I'm going to reject a few more trojan listen ports, it might help butit isn't a real fix.

My thought btw was for Tor to rate-limit syn scanning activity betweenthe client and the first onion router, with the function taking placein that first-hop router, not at the exit.




_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Pretty sure our exit was being synflooded
  - From: teor

Prev by Author: [tor-relays] Pretty sure our exit was being synflooded.
Next by Author: Re: [tor-relays] Testers needed for Nyx beta release
Previous by thread: Re: [tor-relays] Pretty sure our exit was being synflooded
Next by thread: Re: [tor-relays] Pretty sure our exit was being synflooded
Index(es):
- Author
- Thread