[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: peculiar server "bandwidth" posted by server "mnl" and possible new type of attack



     On Tue, 9 Sep 2008 02:10:05 +0200 Domenico Andreoli <cavokz@xxxxxxxxx>
wrote:
>Hi all, I am the mnl's operator,=20
>
>On Tue, Sep 09, 2008 at 05:15:15AM -0500, Scott Bennett wrote:
>>=20
>>      Nearly 49 MB/s seems a bit of a stretch.  The server's operator sent=
> me
>> a note saying that the server is attached to the 1 GB/s campus backbone n=
>et,
>> but it is attached via a 100 Mb/s router, so the reported data rate is fo=
>ur
>> to five times the rate physically possible due to the router's limitation.
>> The server, according to its operator, is running on a 2.6 GHz P4, and its
>> descriptor says the machine is running LINUX.  Based upon postings quite a
>> while back from blutmagie's operator and from a few other operators of ve=
>ry
>> high-data-rate servers, it seems to me that a 2.6 GHz P4 (Northwood?) run=
>ning
>> LINUX would not be capable of handling a load eight to ten times that of
>> blutmagie, regardless of its network connection's capacity.
>
>Confirmed.
>
>Yes, it is a P4 step C, Northwood.
>
>>      That brings us back to something I've already posted on OR-TALK, nam=
>ely,
>> the apparent slowdown in tor traffic that has reduced the traffic through=
> my
>> tor server by at least 30% and, judging from the reduced peaks shown for =
>a lot
>> of the high-volume servers listed on the torstatus page, the tor network =
>at
>> large.  If this is actually what has been going on, then not only should =
>the
>> bug be tracked down and killed ASAP, it serves as a call to rethink the m=
>ethod
>> of circuit route selection to find ways to prevent a reduction-in-through=
>put
>> attack that could be made by almost any creep by setting up a corrupted r=
>elay.
>> (mnl is not even an exit.)
>
>The fact of not being an exit node would make it a better corruped
>relay? I mean, if I would like to DOS the Tor network I would be better

     No, or at least I don't think so.  What I was referring to is that most
of the trouble we've had from bad operators has taken the form of corrupted
exit servers, where what goes into or comes out of the exit is in the clear
and can be altered before it is sent where it is going.

>to set the trojan node as internal?
>
     For this kind of attack, I suppose there might be some sort of advantage
to being only a relay and not an exit because route selection often prefers
non-exit relays for non-exit positions in a route, and a typical route has
two non-exit positions but only one exit position.  So the chances to bog
down performance might be a bit higher if the attacker focused on non-exit
usage.
     But Roger has already said that clients believe that no server really
handles more than 5 MB/s, so they trim any figures greater than that back to
5 MB/s.  If you had a dozen or two tor servers falsely reporting high usages,
each at 5 MB/s or more, it might make a mess of things because they would
distort the networkwide statistics, especially if those servers did not
identify themselves as all being members of the same Family.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:       bennett at cs.niu.edu                              *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************