[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] outgooing UDP flooding on middle relay

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] outgooing UDP flooding on middle relay
From: Markus Koch <niftybunny@xxxxxxxxxxxxxx>
Date: Mon, 1 Aug 2016 15:17:34 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 01 Aug 2016 09:18:19 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=from:content-transfer-encoding:mime-version:subject:message-id:date :references:in-reply-to:to; bh=69rWnAZaVviUKL7sfxbCIO0rX9ZnP+zoZJQ4waI/Z0U=; b=JckThWcz8CPgJeLvbmhCqvXMW1ptBH0VV6g+xykaS93jIWgq7r+hzhCuSj5/d/ItRZ LXI8IRew7zE699jTms8ZUZm+bB7m6qK0Hno6ZE7gy3xTUnWdZOVuj24WjOweMFqds1c5 9Hz8fhnas9gBfVDe92luNxWZMMJj6TxKeT9nAe7H+5VGQwHlqEvEIAw5xJZoU7CpfjD4 1yOItjFggEEuaMopR5aVJnNs5vJe/1CZpK5nCrPFeECaFmqeizrblRJ3BA7NQuKVR+g/ Aj8CAfw1TfMtF84aFuI1OrUV+eNvAb8/02rJH2pM17YyGtoYzb2X4K8GVdLA2pyQjP9r 2/+Q==
In-reply-to: <9E7A111A-8344-4072-8722-7DD93D3C3721@gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <69a999bd-3167-d0b9-7d41-94602f093db8@web.de> <CALsPhAFvKoHGhHtFDY53bB3Oqcs1aXz9Md9Suwn8DTAdnKweEw@mail.gmail.com> <0bf1f7a3-e621-042a-f2c3-629f6f244cda@web.de> <CALsPhAGcWR9ykxaFBqbxbDLmkqYgK_dXmOOFHnujX-H03YQcbg@mail.gmail.com> <a011d7ff-11b7-a328-cf6f-dd2d626aa31b@web.de> <CALsPhAE1yR5NGJ_Ec4HZ7RTpU2QJ-nOmkMEUjS3nxW_kbD1V1A@mail.gmail.com> <9E7A111A-8344-4072-8722-7DD93D3C3721@gmail.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

If this is a synflood or any other ddos attack on his vps the tor server would not relay the attack and in and outgoing traffic would be vastly different. 

Sent from my iPad

> On 01 Aug 2016, at 15:12, teor <teor2345@xxxxxxxxx> wrote:
> 
> 
>> On 1 Aug 2016, at 23:08, Markus Koch <niftybunny@xxxxxxxxxxxxxx> wrote:
>> 
>> Looks like DOS/DDOS.Is it even possible to DDOS over tor?
> 
> It's possible to (D)DOS any server using ping (or DNS, or any other UDP responder).
> All an attacker needs is the server's IP address, which is publicly available in the Tor consensus.
> Then they can attack the relay from the Internet.
> 
> There's no need to use Tor to tunnel the (D)DOS. In this case, Tor doesn't tunnel UDP, so it's unlikely to be the culprit.
> 
> Tim
> 
>> 
>> 
>> 2016-08-01 15:04 GMT+02:00 pa011 <pa011@xxxxxx>:
>>> yes about the same - sorry for the page brake dont get it solved in my
>>> thunderbird
>>> 
>>> h  rx (KiB)   tx (KiB)      h  rx (KiB)   tx (KiB)      h  rx (KiB)
>>> tx (KiB)
>>> 23  6.559.929  6.748.215    07  4.697.285  4.845.893    15 35.106.193
>>> 35.833.114
>>> 00  5.129.384  5.289.456    08 12.317.567 12.605.726    16          0
>>>     0
>>> 01  3.709.181  3.843.988    09 14.913.172 15.278.079    17          0
>>>     0
>>> 02  4.405.017  4.574.745    10 22.218.874 22.738.508    18    102.138
>>> 144.732
>>> 03  4.670.091  4.817.785    11 25.700.571 26.306.505    19    275.999
>>> 340.633
>>> 04  4.711.807  4.853.921    12 32.840.796 33.571.996    20    271.278
>>> 382.087
>>> 05  4.269.354  4.408.417    13 32.910.527 33.637.092    21    263.147
>>> 383.444
>>> 06  5.279.142  5.443.890    14 40.052.678 40.824.138    22    176.040
>>> 258.865
>>> 
>>> 
>>>> Am 01.08.2016 um 14:51 schrieb Markus Koch:
>>>> In and outgoing traffic is the same size?
>>>> 
>>>> 
>>>> 
>>>> 2016-08-01 14:44 GMT+02:00 pa011 <pa011@xxxxxx>:
>>>>> The ISP didn’t mention - I would have to ask.
>>>>> 
>>>>> What I saw was that the traffic was up about linear from usually 30Mbits
>>>>> to above 100 Mbits over about 6 hours, bringing the CPU to 100% and
>>>>> dropping.
>>>>> 
>>>>> 
>>>>>> Am 01.08.2016 um 14:36 schrieb Markus Koch:
>>>>>> How many packets per second?
>>>>>> 
>>>>>> Markus
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 2016-08-01 14:28 GMT+02:00 pa011 <pa011@xxxxxx>:
>>>>>>> Hello,
>>>>>>> 
>>>>>>> one of my middle relays got auto limited by the ISP because of
>>>>>>> "outgooing UDP flooding ".
>>>>>>> 
>>>>>>> The VPS is pure debian8, fail2ban, pub key and nothing else installed -
>>>>>>> so I highly doubt the give reason for the traffic limitation.
>>>>>>> Also I cant find anything in the log files.
>>>>>>> 
>>>>>>> Anybody having experience with such an issue?
>>>>>>> What to check for please?
>>>>>>> 
>>>>>>> Paul
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> tor-relays mailing list
>>>>>>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>>> _______________________________________________
>>>>>> tor-relays mailing list
>>>>>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>> _______________________________________________
>>>>> tor-relays mailing list
>>>>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> _______________________________________________
>>>> tor-relays mailing list
>>>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> Tim Wilson-Brown (teor)
> 
> teor2345 at gmail dot com
> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
> ricochet:ekmygaiu4rzgsk6n
> xmmp: teor at torproject dot org
> 
> 
> 
> 
> 
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] outgooing UDP flooding on middle relay
  - From: pa011
- Re: [tor-relays] outgooing UDP flooding on middle relay
  - From: pa011

References:
- [tor-relays] outgooing UDP flooding on middle relay
  - From: pa011
- Re: [tor-relays] outgooing UDP flooding on middle relay
  - From: Markus Koch
- Re: [tor-relays] outgooing UDP flooding on middle relay
  - From: pa011
- Re: [tor-relays] outgooing UDP flooding on middle relay
  - From: Markus Koch
- Re: [tor-relays] outgooing UDP flooding on middle relay
  - From: pa011
- Re: [tor-relays] outgooing UDP flooding on middle relay
  - From: Markus Koch
- Re: [tor-relays] outgooing UDP flooding on middle relay
  - From: teor

Prev by Author: Re: [tor-relays] halp #2
Next by Author: Re: [tor-relays] How to exclude a CDN ?
Previous by thread: Re: [tor-relays] outgooing UDP flooding on middle relay
Next by thread: Re: [tor-relays] outgooing UDP flooding on middle relay
Index(es):
- Author
- Thread