[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Isolating a hidden service hit by DDOS

On Wed, Nov 26, 2014 at 10:21 PM, Cyrus <cyrus_the_great@xxxxxxxxxx> wrote:
> I have a problem involving a shared server hosting many hidden services.
> One of the hidden services is being attacked and this is causing the tor
> daemon to use 100% CPU. I am quite sure the attack is just a DDOS flood.
> What I can't seem to figure out is how to isolate which hidden service
> is being attacked so I can disable it. I have tried enabling the info
> log but it doesn't seem to contain the information I need. The debug log
> is a quagmire, and I don't know what to look for.
> Please tell me what to search for in the debug log.

If you are unable to use webserver logs to pull the onion from (vhost
by host header or tcp port), or no data is being sent, you could
probably watch control port with:
 usefeature extended_events
 usefeature verbose_names
 setevents circ
And look for lots of PURPOSE=HS* counts by onion.
And similar by descriptor id / onion in debug log,
rend-spec.txt doc in torspec.git may help with that.

Maybe we're golden... :)
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to