[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: another DirPort DoS attacker



     On Wed, 03 Sep 2008 12:05:25 +0300 M <maillist@xxxxxxxxxxxx> wrote:
>>      A short time ago, I found that 212.205.53.212 had several hundred open
>> TCP connections to my tor server's DirPort, and very little relay traffic
>> seemed to be getting past all of that.  I've now taken steps to prevent such
>> connections from that IP address.  (That IP address has the hame
>> sahrsmtp03.cosmote.gr.)  Other tor server operators may (or may not) wish to
>> follow suit.
>
>I'm running Tor-directory behind Apache's proxy_http so I can run
>Tor-dir and Apache2 with ssl at port 443. Yesterday I noticed in the
>logs that someone (e198212.upc-e.chello.nl - 213.93.198.212) had several
>connections per second to dirport. That someone tried to use
>CONNECT-method to connect several other servers. Server responded 500
>every time (Internal error or something) but that would not stop the
>dossing that had been going for hours. I'm not logging typical
>connections to dirport, only odd ones.
>
>I wrote a fail2ban-filter to catch him and others doing the same. I'm
>not sure what attacker tried to gain with such method, attacks came
>always from the same ip and ten connections per second isn't enough to
>bring the server down. Also he could not get connection via
>CONNECT-method anywhere through the http_proxy, he only got error messages.
>
     Very interesting.  If one depends upon a DirPolicy to reject the attempts,
one will get a notice-level log message for each rejected attempt. :-(  So I
simply added a pf rule to block SYN packets for my DirPort from that IP
address.  I also added a DirPolicy line, but mainly to make sure that I would
be notified if it turned out that I had screwed up the pf rule and connections
were still getting through. :-)
     The vast numbers of connections per se didn't actually bring my server
down.  Rather, it was more likely the large numbers of packets in output
queues that tied up the transmit capacity of my cable link, thereby reducing
available relay capacity.  Once there is a big backlog of packets waiting to
be transmitted, I begin to see growing numbers of input queues with packets
waiting to be read by programs, including tor from its ORPort.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************