[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another DirPort DoS attacker

     On Tue, 2 Sep 2008 09:44:14 -0600 "John Brooks" <aspecialj@xxxxxxxxx>
>That is odd; I don't see what purpose a DoS against a specific
>directory/node would serve (unless you were specifically attacking a
>connection routed through that node, or trying to use latency attacks). Is
>it an exit node? Could be retaliation from something a user did through your

     Yes, it is an exit for many, but not all, ports.
     I hadn't thought about the latency-testing angle, but it's conceivable,
I guess.  Mostly what it looks like is an attempt to a) clog the directory
mirror service and/or b) clog the whole Internet connection to my server.

>node by someone who doesn't understand tor, although choosing the directory
>port is a bit strange.
>Another option would be that it's completely unrelated to tor. What port is
>your directory on? If it's a common service/proxy port, it could be some

     It's on 443.

>exploit attempt or similar getting confused. It's a bit worrying if someone
>cares about attacking tor itself that much, in an abstract way.

     This is not the first incident I've reported.  (See archives for more
over the past year.)  Unfortunately, when I recently dumped the jerks that
I had been getting poor-quality service from for the past year, I failed to
write down all the filter rules I'd added to their router before I returned
it to them. :-]  There was rarely even a single connection attempt from any
of them anymore at that time, so I wasn't too concerned.  But that means I
now do not know whether this current trouble source is one of the older ones.
I don't recognize the host+domain name, though, so I suspect it is a new one.
     I would be very surprised to learn that my server is the only one being
hassled in this fashion, but I know there are many, many tor servers that
are not nearly as closely monitored for trouble by their operators as mine
is. :-)
>Chances are it's nothing too worrisome, though.
     In the sense that it may not be something being done intentionally, I
certainly hope you are right.  However, the disruptiveness of the attacks
does worry me because a concerted, distributed attack *could* be made
deliberately by an adversary with enough bandwidth to cripple the whole
tor network's operation.  And such an attack could be carried out relatively
cheaply.  It takes only a tiny bit of attacker transmit bandwidth to open
hundreds or thousands of connections, but it takes a great deal of server
transmit bandwidth to respond to them all.  Given that an awful lot of us
are bottlenecked by the transmit side of asymmetric Internet connections,
it looks like a real possiblity.  Remember that I found 300-400 ESTABLISHED
TCP connections simultaneously from that one IP address, and new ones were
opening continually as fast as earlier ones were served and closed.  It
would be easy for someone to attack at least several servers at one time
from an inexpensive asymmetric link like ADSL, cable, etc., so someone
with real resources (e.g., government agencies) to have lots of small
computers with lots of cheap Internet connections could take a large
portion of us down in a matter of minutes and keep us that way as long as
they liked.  In that sort of attack, setting useful filter rules would be
nearly impossible because the source of the attack could be switched

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *