[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: another seeming attack on my server's DirPort
On Wed, 19 Dec 2007 13:44:09 -0800 "Kyle Williams"
<kyle.kwilliams@xxxxxxxxx> wrote:
>On Dec 19, 2007 12:46 AM, Scott Bennett <bennett@xxxxxxxxxx> wrote:
>
>> A little while ago, I added another filter rule to the router here to
>> stop an apparently endless, rapid-fire series of directory requests
>> hitting
>> my tor server's DirPort from 125.35.9.66, which appears to be in China.
>> The
>> last time I reported this type of thing, you may recall, it came from a
>> site
>> in Italy. The symptom, like the last time, was that output rate on my
>> machine's main Ethernet interface was running steadily around the transmit
>> rate limit imposed by my ADSL line. dig(1) shows:
>>
>> ; <<>> DiG 9.3.4-P1 <<>> -x 125.35.9.66 any
>> ;; global options: printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63929
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;66.9.35.125.in-addr.arpa. IN ANY
>>
>> ;; AUTHORITY SECTION:
>> 9.35.125.in-addr.arpa. 10800 IN SOA ns.bta.net.cn.
>> root.ns.bta.net.cn. 2006020501 28899 7200 604800 86400
>>
>> ;; Query time: 351 msec
>> ;; SERVER: 66.225.32.4#53(66.225.32.4)
>> ;; WHEN: Wed Dec 19 02:40:29 2007
>> ;; MSG SIZE rcvd: 96
>>
>> Is anyone else having this kind of trouble, regardless of the apparent
>> origin(s) of the attack(s)? I don't mind legitimate requests for
>> directory
>> service tying up all or nearly all of my available output bandwidth, but I
>> do object to morons conducting a DoS attack to keep others from getting
>> directory service from my tor servers directory mirror. If others are
>> also
>> finding their tor servers being hit like this, then perhaps we need to
>> think
>> up an automated way to deny directory service to abusers in order to put a
>> stop to such activity.
>>
>This is just a theory, no hard facts to back it up.
>When I'm messing around with Tor's ControlPort, I've noticed that my Tor
>traffic just hangs until whatever I'm doing on the ControlPort stops. There
>have been a couple of times where I do something very wrong on the
>controlport and Tor just "freezes" (does not route any traffic) until I
>close my connection with the ControlPort. I'm wondering if the same is
>true for when someone is fetching descriptors from the DirPort?
>
>Does Tor traffic "freeze" (not route traffic) until the Dirport completes
>its task?
No, but throughput surely slows down because it has to compete with the
directory mirror outflow.
>
>Next guess...
>If someone where to be attacking, oh say, a hidden service, and your node
>was the Introduction Point for that hidden service, then perhaps someone is
>trying to force the owner of the hidden service to choose a new introduction
>point.
I have no idea.
>
>What is the uptime of your node?
>Have you typically been running it for a long time?
It is usually less than one day, thanks to the crappy ISP I signed up
with.
>If someone is DoSing your Dirport, why not just turn it off?
If we all did that, then where would we get directory service?
>
>BTW, the SOA for your DIG request, ns.bta.net.cn (202.96.0.133), had a
>direct match on http://cryptome.org/nsa-ip-update13.htm
>Just thought you should know...
>
I still don't understand the thinking of those people. I have no reason
to believe that the Chinese government is allowing the NSA to control IP
addresses allocated to, and served inside, China. It makes no sense at all,
and leads me to conclude that the whole list is worthless.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************