[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] short conntrack DDoS attack

To: "tor-relays@xxxxxxxxxxxxxxxxxxxx" <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-relays] short conntrack DDoS attack
From: Toralf Förster <toralf.foerster@xxxxxx>
Date: Tue, 8 Aug 2023 09:21:56 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 08 Aug 2023 03:22:09 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1691479317; x=1692084117; i=toralf.foerster@xxxxxx; bh=g9UMuizHFtEbnnS9CJuQxYUD7G+Cq6RMULVlnB+Z5U8=; h=X-UI-Sender-Class:Date:To:From:Subject; b=K7ZaTe/WP10SgIQfZFbejfrcT7sLAnfDXlYf/myII+YEsiWuIy6cvPW0s07f7xGeHPPIqVH I1e39HzEnTv6xnMDPF+N77RNoZ5/QKzpzE1hQAg9q3B4PnVirC3gT3g8nmpagkiSPKvK7r0Wh 7qYY0MXX/MtrXtYLQ4RX4xzKgwnYIwMvBo7bNCBEc6RlOvcdHLSb9l60PPs6hiB9CZdFZ0ywS eJ9VIRylb1NyZWdXDDVdCsr5hpKDnGVHgJyapr9aEM9R9gL5+zYPE6AfGjjbUy4YFOish0EpC Z4Zg9qRKudKqYjuDf5L6iTGzGqZYh5RYYssj0UIaK/ZLm+wWx+Hg==
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
Ui-outboundreport: notjunk:1;M01:P0:Mj8geBk03vU=;lD3rUvmyPDodEaY5XTE2lLauBvX c6AdPVg2bgwqJIO3V00JccYQL5lLdEFDczSWqx5Lw/K+ozLj0SQPF8kmonQQIqGWvLC9sCYRR k0EyNQxQWKNzQ3H6LXrfoMdcZVWam1ItIWLuRcJ1zcO2C6jPv5Ajb79I4iAqp7dZt+h2plhKS YBw3FHNV3+2kPI3W14mv4R9gJgjAdUjWf+XWztVfei6zpXmz9DcXBEpwIATk8xuC/+JZdEo7L zL72kh0ayz+TpUpPzFPh1C56oc4rbC+4U0fTpEOHKnZPQtvBq5YXAUYX1MLy2eCB5E+UIh7Yw ywJcR4cRmbBvDns6k1CMpAcBxqb9cF+H95eWV6V/2i5KZ96u9s3OGggghq3mKPXGtRzPvNM3x ufSpBvsntV1AYIeC++V53xx7tFkxL56mwAv+Wd208yCP1VT4qG7TSqHMdrQaU91K0A5sel0LJ ml/QqHFA0rIr3U6JElQmKg8prApiKODXWPciZmZXLcaQXgs9Dvfp51oOaG7oSgt+rh14p0IJz hEfxXmddIAXEWXPcKy5CiIkglvqi92YA26uXY348KFQF+BX8VW5CDiBMglYrQJAG6HxESMon5 SUcs44ONjdFGTSr/SyQd12L8tROly3SzX/xsDR0IiQTC3MCeMrFqzZUCUj8BpjcTf4cFiPSkk Iw1I74n0X95OvUX2xwFbgqYuJ9wrbV6xJMrdNBPqb5Qojnn7nF8LlB3EYbAX/d8gH1BP0MsgX NsZMnQN+4Y6p/BNsxWndVnuOOk8SRo/madvOISwFuqUngN6/odDgJWtNM/rnW23aNcDevcctn xwTzfZ12X+5oxtMRT/VSOVVr6rizeaZRi2X1wlvKsjtFwrJ5yCoj4NvBGgARwB1xJt8qQhG3m fCSZpNx3ed2cQRjGqe7xGFgelT/aIjk/G+lp6R48FecndPCTycCpNRIxWFNIV0YAfxHyEa5PT iE5qPA==
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.14.0

Few days ago the throughput of my Tor relay went down to nearly zero for
about 3 minutes. It turned out that the reason (maybe) was a change here
in my iptables rules. Especially I switched these 2 lines:

  iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
  iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

and run then few hours later into problems. And switched back ofc.
An explanation for the dropdown was given in [1]. Given that the
explanation is right:

How is the Tor application harmed if an attacker mangles packets so that
the state of them are INVALID for the conntrack module but they do pass
the RELATED,ESTABLISHED rule ?


[1] https://forums.gentoo.org/viewtopic-p-8798034.html
--
Toralf
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] short conntrack DDoS attack
  - From: mailinglistreader

Prev by Author: [tor-relays] Running an exit relay in Italy
Next by Author: Re: [tor-relays] Help Turkmens to bypass Internet censorship: run an obfs4 bridge!
Previous by thread: Re: [tor-relays] Tor Relay in Kubernetes cluster
Next by thread: Re: [tor-relays] short conntrack DDoS attack
Index(es):
- Author
- Thread