[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Tor Server - DDOS or High Load



I think you misinterpreted what I was saying or I didn't explain it well enough. Tor utilizing 100% CPU usage is only normal if you are pushing a LOT of bits. In this case, you probably have a system misconfiguration somewhere (nothing to do with Tor's configuration, torrc).

>"Nor, the adresses of the inbound traffic were from different adresses."
Yes, that's expected. You're getting connections from the Tor network.
>"I thought that it was not possible to force traffic through a specific predefined route in Tor"
It isn't possible. I believe I said so, or implied it. The only way to do this would be through an attack on the Tor network in general.Â

>"Is it possible to flood the tor port directly with for example syn floods?"
Through the Tor network, no, that's impossible. TCP relies on a 3-way-handshake which means that every connection between relays will have to be complete; therefore, in order to connect to your relay, a complete connection will have to be made. I hope this makes sense, if not, I can elaborate a bit more.

However, if someone has a hold of your IP, they can run a portscanner and then determine your relay port (which is on the internet for all to see.) Therefore, you can be attacked, but not through the Tor network.

>"If yes; is there an iptables rule which will reduce the amount of connection kept in the syn state?"
First of all, no. And second, that's not how you deal with a SYN flood. If that rule was implemented, it would just be easier to take your port offline.


I highly doubt you are under attack. Almost certainly a misconfiguration of some sort. Have you tried the recommendations that others have given relating to your file descriptors?

On Thu, Dec 4, 2014 at 1:40 AM, <webmaster@xxxxxxxxxxxxxxxxxxxx> wrote:
Ok,

i will reject this as a normal behavior of tor. My flags are actually:

HSDir, Running, V2Dir, Valid

To point 2.: Nor, the adresses of the inbound traffic were from different
adresses.
I thought that it is not possible to force the traffic through a defined
route because form
my knowledge the route is build by the network. Sometimes I'm using my Tor
Server as a Proxy for my local http traffic. I think this is the only case
where i can force my route to use my server as a entry node.

Is it possible to flood the tor port directly with for example syn floods?

If yes; is there an iptables rule which will reduce the amount of
connection kept in the syn state?

My Tor Info:
https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF520

Thanks for the reply



> Hey bud,
> Your adsl connection has a low advertised bandwidth, and doesn't make many
> connections with regards to tor; thus, the CPU usage is correct. Look up
> your server's fingerprint or nickname on Tor Globe to see how much of the
> tor network travels through your server.
> CPU load is usually associated with a lot of bandwidth or a inefficiency
> in the server. I've heard that a 100mbit tor server using full 12.5MB/s
> up/down will saturate the core dedicated to the Tor process; this is
> presumably why a lot of servers run multiple Tor instances on different
> cores and IP addresses. However, in your case, it is likely
> The large amount of connections is generally caused by a few things:
> 1. You've been running a very stable server for a long period of time and
> have sufficient bandwidth to provide connectivity for a large number of
> clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will
> likely result in more connections. This is not likely with your server,
> given your advertised bandwidth is only 68.44kb/s.
> 2. A single client is using your server for a lot of connections.
> 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know
> if any have been documented.)
> 4. An attack against your server. This is very hard to do through the Tor
> network; an attack against a Tor relay using Tor is an attack against all
> Tor relays. HOWEVER, they could be attacking your port which you use to
> host your tor server.
> Just for reference, here's my tor stats:
> Advertised B/W: ~4MB/s
> Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1
> control)
> Tor is averaging 9%-13% CPU usage; 198MB memory.
> More info on my server:
> https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B
> https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B
> I hope this answered your question, if not, send a reply and hopefully
> I'll reply sometime.


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays