I'm pretty sure what you mean. But as I has written in the conversations before (read the whole) the 100% CPU load occurred only on the 24 Nov for about two hours. After that I haven't monitored such a high load. I know that an attack through the tor network isn't very unlikely but keep in mind that all relay / entry / exit node real IP addresses are well known and can be fetched from (as example) tor globe. As a result a syn flooding (maybe with spoofed adresses) to the tor port itself could be possible from my point of view, correct me if I'm wrong. But I'm not sure if tor will show them as inbound connections because they are not well established. There is no reason for me to raise the amount of file descriptors at the moment, because the high load still doesn't exists at the moment. Hope some things are now clearer. Am 04.12.2014 um 19:53 schrieb Austin Bentley: > I think you misinterpreted what I was saying or I didn't explain it well enough. Tor utilizing 100% CPU usage is only normal if you are pushing a LOT of bits. In this case, you probably have a system misconfiguration somewhere (nothing to do with Tor's configuration, torrc). >> "Nor, the adresses of the inbound traffic were from different adresses." > Yes, that's expected. You're getting connections from the Tor network. >> "I thought that it was not possible to force traffic through a specific predefined route in Tor" > It isn't possible. I believe I said so, or implied it. The only way to do this would be through an attack on the Tor network in general. >> "Is it possible to flood the tor port directly with for example syn floods?" > Through the Tor network, no, that's impossible. TCP relies on a 3-way-handshake which means that every connection between relays will have to be complete; therefore, in order to connect to your relay, a complete connection will have to be made. I hope this makes sense, if not, I can elaborate a bit more. > However, if someone has a hold of your IP, they can run a portscanner and then determine your relay port (which is on the internet for all to see.) Therefore, you can be attacked, but not through the Tor network. >> "If yes; is there an iptables rule which will reduce the amount of connection kept in the syn state?" > First of all, no. And second, that's not how you deal with a SYN flood. If that rule was implemented, it would just be easier to take your port offline. > I highly doubt you are under attack. Almost certainly a misconfiguration of some sort. Have you tried the recommendations that others have given relating to your file descriptors? > On Thu, Dec 4, 2014 at 1:40 AM, > < mailto:webmaster@xxxxxxxxxxxxxxxxxxxx webmaster@xxxxxxxxxxxxxxxxxxxx >> > wrote: > Ok, > i will reject this as a normal behavior of tor. My flags are actually: > HSDir, Running, V2Dir, Valid > To point 2.: Nor, the adresses of the inbound traffic were from different > adresses. > I thought that it is not possible to force the traffic through a defined > route because form > my knowledge the route is build by the network. Sometimes I'm using my Tor > Server as a Proxy for my local http traffic. I think this is the only case > where i can force my route to use my server as a entry node. > Is it possible to flood the tor port directly with for example syn floods? > If yes; is there an iptables rule which will reduce the amount of > connection kept in the syn state? > My Tor Info: > https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF520 https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF520 > Thanks for the reply >> Hey bud, >> Your adsl connection has a low advertised bandwidth, and doesn't make many >> connections with regards to tor; thus, the CPU usage is correct. Look up >> your server's fingerprint or nickname on Tor Globe to see how much of the >> tor network travels through your server. >> CPU load is usually associated with a lot of bandwidth or a inefficiency >> in the server. I've heard that a 100mbit tor server using full 12.5MB/s >> up/down will saturate the core dedicated to the Tor process; this is >> presumably why a lot of servers run multiple Tor instances on different >> cores and IP addresses. However, in your case, it is likely >> The large amount of connections is generally caused by a few things: >> 1. You've been running a very stable server for a long period of time and >> have sufficient bandwidth to provide connectivity for a large number of >> clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will >> likely result in more connections. This is not likely with your server, >> given your advertised bandwidth is only 68.44kb/s. >> 2. A single client is using your server for a lot of connections. >> 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know >> if any have been documented.) >> 4. An attack against your server. This is very hard to do through the Tor >> network; an attack against a Tor relay using Tor is an attack against all >> Tor relays. HOWEVER, they could be attacking your port which you use to >> host your tor server. >> Just for reference, here's my tor stats: >> Advertised B/W: ~4MB/s >> Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1 >> control) >> Tor is averaging 9%-13% CPU usage; 198MB memory. >> More info on my server: >> https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B >> https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1B >> I hope this answered your question, if not, send a reply and hopefully >> I'll reply sometime. > _______________________________________________ > tor-relays mailing list > mailto:tor-relays@xxxxxxxxxxxxxxxxxxxx tor-relays@xxxxxxxxxxxxxxxxxxxx > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > > > _______________________________________________ > tor-relays mailing list > tor-relays@xxxxxxxxxxxxxxxxxxxx > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > -- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32) mQENBFHMmT8BCAC0smvU7Bq1ABxAhvBRn7d4ekkk95aCE4TTQo4wy1z/rGLhQfdt dhiD+Vy61vGrsdK3ei5sW6rBvX2m8+YmBi+8AAgSiZmS0JM3Zz3cmTi5oh0D/yM8 4aDj7wQYfJyzSmYN8InAQ5eA77lwIdqG27kR9wga2szeJwCnWReta0R+7YFkpUW+ zUlf4SWcUx5SmBsaiELQpm+Qcn+fyopo12RX6YVmoNPBvN2nDXDnRhUCKGc+0xhD UrBpCHrApK6sTnMsD34ClCLTL2L1gckQ0AsQqY3PJlx3R8kIJxlmr6R3WnjPMIG0 lqrukB9PcOrHM1MZXK1gK6AtypHBN98lr8Z9ABEBAAG0KndlYm1hc3RlciA8d2Vi bWFzdGVyQGRlZmNvbi1jYy5keW5kbnMub3JnPokBPgQTAQIAKAUCUcyZPwIbIwUJ CWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQcN1vxvRQl+0SEwf+KXjf YtiSUSVS11uqeQ/8g46NwmNa91P3toZvEd7vhLSbjnL9bi/vApzNnUTGT3VP4/NA dg9SbR4qKlSr8T+YikRMV3tiuiVq8m7g00qM9y8MIomwJTounz8VdO/aJXFSOxAK Bb6ElREADspCzr2qSZCnozWUzbd+b8owbGeRRq3e33Aa5Nlm/xDRxGDWANbaIA8q Gkibvy3vWEwrxiwsakvHGaEZnPEtlNm3M1xcmFAuyl73qzUMkLN0u9E/2igo4EB5 EdMb5Ab5hfWdljxBqJr0tsvMfSK4VkzMCbKYkTqHZIRPQnhiSBE6Yo1Q6RCl/Hht bkvU4RA0J+NkXMZljrkBDQRRzJk/AQgA0HojJnK0uhEkAnbmszYsf477DV+LD02s ZEAlLGhJlf9qYaDiPMPwaZ3nK8/PYKzPpBWfHgRQP97rLHPIVJYl3BHDa/nWeZ2b e/HzYhpX0djbK9qe6W/CTfGbXmC/y+4dDGB8dvtTAW3JILm7xEdwiWtywozEVy7V lnMK4JQvlfOh+3XO6qv71FXyuRkObvkYzqvxUYHewtvvObcVxXHP0C0O6LB44iAW 2boZVVuiHdudnyNAezJajPMUT8SnI0bwL6+0TgnHL4cKNUEPQljIrrvi+9nCkq7V uBtnsYtyoo2reoxmCbX/Z1zZsxdUcKpeJHlc5AypyN8DUJ+APJ9NnwARAQABiQEl BBgBAgAPBQJRzJk/AhsMBQkJZgGAAAoJEHDdb8b0UJftOY0H/1TChmQrJC/qzefW PK7EqFlBg3TIEXdu8JHjF42ZOgzQRfp7E2wWzEx0Y45lNXMs6Yg15hWCEDaUDF6F 5WZKNrP8xIldyR9Aw7fyKqjZ9UuKovqofHsCiaSO7nWzGM6GF3nBDNI9NcFve/wN wggyjAbohOJrJGal3N0HlG3cakqjEmjBe1gQEMC0ZPlWstb/cqqr49TNPrRmQc4P SyGffh8Xqhw94m1LDBXFEaYe7AxjNk1sPAVfO1rOdLF6GOun/UwgbhDQX/Rb9C3t AhjSgyFEiR/gfrUZ7R6SY51qOUf1lN5ZN85C/x27XoZWYlsNaH3Ei6nG+yeswBMk ZRMbezQ= =Med3 -----END PGP PUBLIC KEY BLOCK-----
Attachment:
0xF45097ED.asc
Description: application/pgp-keys
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays