[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
yet another DirPort attack
This morning I found my tor server under attack once again via its
DirPort. This time the offending IP address was 201.7.107.128, from which
there were 30-40 ESTABLISHED connections, each with ~31K-32K in their output
queues, and dozens more in TIME_WAIT, FIN_WAIT_1, or FIN_WAIT_2. I gave tor
a SIGUSR2 and let it log its activity voluminously for several minutes,
while I added yet another packet-filtering rule to the router, and then
waited for the connections to disappear by attrition before sending SIGHUP.
The resulting logged material consists primarily of lines like
Jan 03 08:44:56.560 [debug] conn_write_callback(): socket 31 wants to write.
Jan 03 08:44:56.629 [debug] conn_write_callback(): socket 82 wants to write.
Jan 03 08:44:56.681 [debug] conn_write_callback(): socket 89 wants to write.
Jan 03 08:44:56.709 [debug] conn_write_callback(): socket 121 wants to write.
Jan 03 08:44:56.739 [debug] conn_write_callback(): socket 39 wants to write.
Jan 03 08:44:56.790 [debug] conn_write_callback(): socket 42 wants to write.
Jan 03 08:44:56.913 [debug] conn_write_callback(): socket 52 wants to write.
Jan 03 08:44:56.943 [debug] conn_write_callback(): socket 88 wants to write.
Jan 03 08:44:57.033 [debug] conn_write_callback(): socket 99 wants to write.
Jan 03 08:44:57.172 [debug] conn_write_callback(): socket 46 wants to write.
Jan 03 08:44:57.174 [debug] conn_write_callback(): socket 46 wants to write.
Jan 03 08:44:57.174 [debug] conn_write_callback(): socket 89 wants to write.
Jan 03 08:44:57.302 [debug] conn_write_callback(): socket 114 wants to write.
Jan 03 08:44:57.363 [debug] conn_write_callback(): socket 39 wants to write.
Jan 03 08:44:57.363 [debug] conn_write_callback(): socket 39 wants to write.
Jan 03 08:44:57.364 [debug] conn_write_callback(): socket 39 wants to write.
Jan 03 08:44:57.364 [debug] conn_write_callback(): socket 39 wants to write.
Jan 03 08:44:57.473 [debug] conn_write_callback(): socket 82 wants to write.
Jan 03 08:44:57.516 [debug] conn_write_callback(): socket 122 wants to write.
Jan 03 08:44:57.519 [debug] conn_write_callback(): socket 43 wants to write.
Jan 03 08:44:57.554 [debug] conn_write_callback(): socket 121 wants to write.
These are interspersed occasionally with other messages, but nothing directly
related to the problem at hand in any way obvious to me.
IIRC, it was Roger Dingledine who asked to me the last time this happened
to get debug-level log output the next time it happened. What I need to know
now is what to look for in the output and/or where to send the output.
FWIW, a short time after the addition of the filter rule halted the
spurious activity, I took a look at the statistics applicable to the three
rules I have thus far added to deal with these attacks. The two older ones
had stopped only a handful each of packets in the last day or so. The one I
had just added had blocked 3140 incoming packets from the time the rule was
added till I checked it a while later. It has now been over nine hours since
the rule was added, and the router now shows a blocked incoming packet count
of 10,643 packets.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at cs.niu.edu *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************