[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another DirPort DoS attacker

Hash: SHA1

>      A short time ago, I found that had several hundred open
> TCP connections to my tor server's DirPort, and very little relay traffic
> seemed to be getting past all of that.  I've now taken steps to prevent such
> connections from that IP address.  (That IP address has the hame
> sahrsmtp03.cosmote.gr.)  Other tor server operators may (or may not) wish to
> follow suit.

I'm running Tor-directory behind Apache's proxy_http so I can run
Tor-dir and Apache2 with ssl at port 443. Yesterday I noticed in the
logs that someone (e198212.upc-e.chello.nl - had several
connections per second to dirport. That someone tried to use
CONNECT-method to connect several other servers. Server responded 500
every time (Internal error or something) but that would not stop the
dossing that had been going for hours. I'm not logging typical
connections to dirport, only odd ones.

I wrote a fail2ban-filter to catch him and others doing the same. I'm
not sure what attacker tried to gain with such method, attacks came
always from the same ip and ten connections per second isn't enough to
bring the server down. Also he could not get connection via
CONNECT-method anywhere through the http_proxy, he only got error messages.

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org