[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Guard node suddenly sending twice what it receives

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Guard node suddenly sending twice what it receives
From: Logforme <m7527@xxxxxx>
Date: Wed, 20 Dec 2017 21:57:29 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 20 Dec 2017 16:57:48 -0500
In-reply-to: <2648C333-A118-4DF2-8259-ADEC7EA59CC3@gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <emf63ee07a-8e88-4b82-9961-d1c2412505ab@mats-win7> <2648C333-A118-4DF2-8259-ADEC7EA59CC3@gmail.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: eM_Client/7.1.30794.0

Check the logs, but they won't tell you much, and that's deliberate.

So I checked the tor log.

First part is before the "weirdness":

Dec 20 16:00:08.000 [notice] Heartbeat: Tor's uptime is 4 days 23:59hours, with 36191 circuits open. I've sent 3686.92 GB and received3646.75 GB.Dec 20 16:00:08.000 [notice] Circuit handshake stats since last time:160437/160437 TAP, 5003782/5003782 NTor.Dec 20 16:00:08.000 [notice] Since startup, we have initiated 0 v1connections, 0 v2 connections, 1 v3 connections, and 102511 v4connections; and received 2151 v1 connections, 29819 v2 connections,46331 v3 connections, and 683484 v4 connections.


Next time during the weirdness:

Dec 20 22:00:08.000 [notice] Heartbeat: Tor's uptime is 5 days 5:59hours, with 233634 circuits open. I've sent 3908.13 GB and received3832.44 GB.Dec 20 22:00:08.000 [notice] Circuit handshake stats since last time:564576/564576 TAP, 18285622/18285622 NTor.Dec 20 22:00:08.000 [notice] Since startup, we have initiated 0 v1connections, 0 v2 connections, 1 v3 connections, and 107666 v4connections; and received 2309 v1 connections, 31585 v2 connections,49188 v3 connections, and 711324 v4 connections.

Note that the number of circuits have gone up from a relatively normalnumber, 36191, to a massive 233634. Definitely not normal. And this iswith my connection limits in place in the iptables.


The tor process now uses about twice as much CPU as normally.

I think the attacker has found a new way "in".

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Guard node suddenly sending twice what it receives
  - From: teor

References:
- [tor-relays] Guard node suddenly sending twice what it receives
  - From: Logforme
- Re: [tor-relays] Guard node suddenly sending twice what it receives
  - From: teor

Prev by Author: [tor-relays] Guard node suddenly sending twice what it receives
Next by Author: Re: [tor-relays] botnet? abusing/attacking guard nodes
Previous by thread: Re: [tor-relays] Guard node suddenly sending twice what it receives
Next by thread: Re: [tor-relays] Guard node suddenly sending twice what it receives
Index(es):
- Author
- Thread