[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] Very high CPU Load and low Traffic since Sunday
- To: tor-relays@xxxxxxxxxxxxxxxxxxxx,teor <teor@xxxxxxxxxx>
- Subject: Re: [tor-relays] Very high CPU Load and low Traffic since Sunday
- From: Tim Niemeyer <tim@xxxxxxxx>
- Date: Tue, 20 Aug 2019 10:02:17 +0200
- Autocrypt: addr=tim@xxxxxxxx; keydata= mQINBFY2UKYBEADh8n3kb6AE26AxAT3OFlhx/KMeGVbloeEcLBuoI3iAMiKwzktU2nt2sD2wyORw aOA90qI1YSb6zOPlDejry8Pbh0sRfbp2pymcEv+eUbxjJtm/CJpoHm4DcgthnZuwftjXyX9FUmVr zt7UbWR8Z5a1rYy0PnBWsEQ7O0MUgvVkKWyONdfwgu/TeTEF1Pf3DtICDvy1DA/8z+xguUcGFtGA +tID7MBQ6MSg8Uu962HSUcmHUa/7Y813RENMXUCv0TyEBynZ370BBLIV6buR2UkCN2NaJehZqv8+ jScdbCIWLq72eC3WLTXhrnOLcZvmIN2I71BVb7e2dj/B21hhBIZbWzVoOETQhhm/SZ03JlH/szvE kLY5QAH2Mcc5bJpQ3lo+P7UmUKryUHOMgvQHHSc6c194VrK4oMPlxLj5fvIuoFZWtyXSeI2yU/AR K+ITLDp5F+2+rlinywxBduWjqVQj7qtcFUXCbvEJMC0VmVrUi/Ifzp/IPWQJJ6TothPKuxCmNs79 1VeDZIaZ51La7kx455EOf0+Ma5eU+gxYou5oOArwad64xSdDSZq4CgRDox23punsfsWEZuqtEF4Q NocwKwEk/lDnRblk6/piEctQYmt0WhwL6zz5enSs7NpzzXSPpeLSxt/AheaCL1XcrpBikvdd6+jd /QXu13rSPntsxQARAQABtBtUaW0gTmllbWV5ZXIgPHRpbUB0bi14Lm9yZz6JAjcEEwEKACECGwMI CwkIBw0MCwoFFQoJCAsCHgECF4AFAlbKI4UCGQEACgkQIKnzjSlF7LXHhxAAnNtxYRmJuLlHRbj1 8KPZsjpSeoVxjZoRLpz3Pia9PdF+X+Lh1noUlKxEAs5S7HJV9PZfvwWlt3lMpCHzudAvTeTFgzRS 67OpTo19NIJis8qqC2lMHZV0owifkg0zMPOPCwr79nQCKup3F1dO+qV5oLO1nbcYIhgDFaV6OdHK hSUZ0GGh0eKI6ueSZD2ssUlNb66DYoSgPhUD0Vla9CEzbpa5jm5PpeRwa9Cz1W6fLzRreEfD5pZX btehw6ja50zBY1F3xk9xqsVdMS6i9XbPCuXPgjsH4712uylMC6C56tLbsqXy+Qd+Ee0M7ZvJcdc5 YShk9COCBgn5AZUWzTYTuqc0My8hg47/zxez5Cd9FxzQ85gJmKbYWUJqoG3b/k9St4buDq40iqsR hdbjAS6itjtzw01JT/n3ihbU1ixvLsznmkdGz8SrcAeA/cFx5YS5OERSa0APSgDuidLBKclHXlwh EgMWDmLnhAfcMAGKP1E+4CctDzYaL7eAM508VX2Kj5sLASKf/0zNb8+yhtN8dke9UGY/RBqE2pXu cddL10qGn/cQDk48BLMKpRnfyvPvwUVNkemmKAvv7Gxa1fw5NlaL/CAmRCsLbFDlpHme1vrJo9PC GL2Xb+E8ds2C10LfAfLFHFrD5dvHsShgGK+EccvfmgG11fp9qdfjXMIIbDO5Ag0EW+hpiwEQAJrc cE0a4zuixKp+IlZjLV9oZOUuTI9MYDtiWT2PTb4uafB8O0k40DX/7s6EFF12njyTiUEtEHa+SPdq gsTKw1k/FUCCXyvWf0KmyZuXQlAk1+wAoc5mfKOJbynHFpQjhK7NpEWvJoNPmYF1LgBhUvoW7vz0 SeLEAKkkB0/v3b+yUE0fiK0A0BUgdq5I4GVvqBw8aOy/uTL14C2esTnCkwOki4q3pM3Ao/Sux7Qo joG5bBqNujlZJ6CQcppAJFCh329LojRZHBSY6nT4H+7czUSM5fYZ18Lp2lCC1asiJc3epogpSfjP TMMRCHI7H5pWoJpHbtTS/Sa6KWVLq4ak3+5nOAHXHDhB6naD6WVW8Pd118kJQ8rjdNaAD09Tz8gq EHkwMtN/hVfghsCA1SOpuONG31Z/YNGe8stj5Mi7riGXrLUmArBxbcsksK+k3TGEzWOqCl6R9uML z3lriOs0R4CbimE8ZjHvtnP+WpQ5lVUBUxgrFhrgSkqyHeBV7sZgWy8d/kv/DAdQywrwhcaQ8j5d QNhCwIHnkSo8+bwaCb3dVqbF70qdvNjmFibz/N05B+gsIiDpulR73FXFkqh3jgTtMt82BQQTDgky UE88iHxW2dHYpUFPq/TBWtWeO8ET3WFlUdHjbDTCx1WX+rFT7DtEeTgcTidiDK0QTDZXP8T7ABEB AAGJAjwEGAEKACYWIQR+ezQBQqqSlbjybEwgqfONKUXstQUCW+hpiwIbDAUJA8JnAAAKCRAgqfON KUXstZ1SD/sEzd1nnnOXH9mSSWfWcWK7/uDpx3bn3qwQX7OFLlW7J+GX5KNiTGcBPWNVpXBpEKnQ pos+oesHa9qy72Nf9VtIP/fdeji/MJO300Bsi6MtQOMIZpqx/3U2P86TrTemrjBPvhjG8Du8DjXi Gs0AoY1cP0UozAXpA2IjmygkvSX44B44yb15EteF9EU76OFpXiU0QVv+hLGBpqtbufaGzB/IjPC6 u0fpxPkjMgCZCfKdrwHO06rx8S4xs306zu1lR2OzFE18zt0ZjG8GOgRTM+js7vjfQH10Q7+Gpfk9 KFClOxTSbNn0lCqfClVvxfPeNd4GsSKOdRP9u+lo5Jg3ZMa4QMQ1W3r1EcwSXRb5FDizGpHihOOc COdJUIly0MU0kHAUaCAFe+LmSa9L8KQhQcUAJpqCuBu8ljrSv+y2OmGlYB546TAOYHA8JuHFqINb TfdRdmA+O+hjh9R+qWkGiIHuBSU3mRNaMcz77QpJP2+BZUPTu+5Bq33kqH2QT+8VnjXsR2Cm59Em Pz9l0EachvNRY17Ogc1m2kC0p63DGGOLTyNxJlA9bEct/4y6y8/v73vWVq17Ott+yOu+FNbEJzmW DOBSJW0n6nmh9bYDo4jePvYnCilei5MKsfluw6QSRElQHppUDOslJQYxN4VPJtfcjf0BQf7anM77 8iKjfsN8dA==
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Tue, 20 Aug 2019 04:02:27 -0400
- In-reply-to: <967CCB1F-1076-4A51-8A6A-D3CD4F090BD1@riseup.net>
- List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
- List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
- List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
- List-post: <mailto:tor-relays@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
- References: <3296D07E-DA10-4A2F-9262-C93E25F977B5@to-surf-and-protect.net> <7A92E0B3-3439-48BF-8935-2FCA9E453345@quintex.com> <967CCB1F-1076-4A51-8A6A-D3CD4F090BD1@riseup.net>
- Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
Hi
Just short: i noticed the high rate of ssh abuse mails. So I started to test to reject (via tor config) the ssh port. Traffic and load now looks a lot better. So it seems to be a brute force attack which slows down the exit due to too much too small packets.
Tim
PS: @teor: did you forgot the cc's?
Am 20. August 2019 08:05:36 MESZ schrieb teor <teor@xxxxxxxxxx>:
>Hi,
>
>>>> On 15. Aug 2019, at 16:43, Tim Niemeyer <tim@xxxxxxxx> wrote:
>>>>
>>>> Signed PGP part
>>>> Hello
>>>>
>>>> I've noticed a reduction in tor traffic about 50% since Sunday. The
>cpu
>>>> load stayed almost same. The amount of TCP Sessions increased from
>~34k
>>>> to ~65k. Also the abuse rated about network scans got increased
>since
>>>> Sunday.
>>>>
>>>> Does anyone knows what's there going on?
>>>>
>>>> My guess is that since Sunday anyone uses Tor for extended network
>>>> scans, which results in a very high packet rate.
>>>>
>>>> Personally I've no problem with some network scans, but this is a
>bit
>>>> annoying and I asked myself if this is still a scan or more a DOS.
>>>>
>>>>
>https://metrics.torproject.org/rs.html#search/family:719FD0FA327F3CCBCDA0D4EA74C15EA110338942
>
>>> On Aug 19, 2019, at 21:45, niftybunny
><abuse-contact@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>>
>>> Same here +1
>
>> On 20 Aug 2019, at 14:35, Larry Brandt <lbrandt@xxxxxxx> wrote:
>>
>> This may be similar to my situation with my Finland exit relay [1].
>I was finally forced to deal with kern overload that shut my cpu down.
>I had several thousand IP's without hashed fingerprints opting to get
>into Tor. A combination of hardening, banning and increasing kern
>processing to 100,000 helped. Since then I have a Consensus Weight of
>600 rather than the 8000 before the intrusion. Strange thing: ufw
>banning and reboot does not seem to stop a few of the Iranian IP
>addresses--they're still there.
>
>We think this is a result of Iranian censorship, I think the
>anti-censorship
>team are working on the issue. I've cc'd Philipp for more info.
>
>> On 20 Aug 2019, at 12:56, John Ricketts <john@xxxxxxxxxxx> wrote:
>>
>> reduction++;
>
>This could be a result of load balancing changes due to Rob's bandwidth
>experiment.
>
>CPU overloads could also be a result of load balancing changes. The
>tests only used a few large bandwidth circuits, but the CPU usage of
>lots of small circuits is much higher.
>
>I've cc'd Rob to get his opinion.
>
>T
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays