Re: Declining traffic

     On Fri, 23 Apr 2010 15:51:59 +0200 Sebastian Hahn <mail@xxxxxxxxxxxxxxxxx>
>On Apr 23, 2010, at 3:21 PM, Timo Schoeler wrote:
>> thus Brian Mearns spake:
>>> Any chance your ISP is throttling you?
>> 100% *not*.
>Another possibility would be that your relay is heavily
>overloaded. See the big thread on tor-relays about
>the problems and potential solutions [0].
     Sebastian, there was something that looked very much like a botnet
attack running for two or three hours this a.m.  It seems to have stopped
now.  I had shut down my machine to install operating system updates.
When all that was finished and I finally brought the system back up, for
some unknown reason, pf did not start.  (As if there were not going to be
enough confusion as things already were.  Sigh.)  As soon as I noticed pf
wasn't running, I started it manually and loaded a block list.  But pftop
continued to pour forth log entries of illicit connection attempts from
untold numbers of IP addresses and to scads of different TCP port numbers.
I kept stopping and starting the logging, so that I could see the log
entries long enough to add the addresses to that block list.  I eventually
got crosseyed from adding somewhere between 200 and 300 IP addresses to
the list. :-(  When I then let the logging continue, it had stopped
getting any new stuff to log.
     It was very intense while it lasted, but in the larger scheme of
things, it was of very short duration for a coordinated attack.  I doubt
that my system was the onlyt tor relay being attacked.  In fact, I think
the attack began a short time after my node appeared in the consensus,
although at this point I can't prove it.
     What I would like to know is how many systems were attacked this
a.m. in that manner,  were only systems running tor relays attacked,
who shut it off, etc.  If anyone else on this list noticed anything between
5:00 a.m. CDT and 8:00 a.m. CDT, please post the details here.  Thanks!

