[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Guard node suddenly sending twice what it receives



> On 21 Dec 2017, at 08:57, Logforme <m7527@xxxxxx> wrote:
> 
>> Check the logs, but they won't tell you much, and that's deliberate.
>> 
> So I checked the tor log.
> 
> First part is before the "weirdness":
> Dec 20 16:00:08.000 [notice] Heartbeat: Tor's uptime is 4 days 23:59 hours, with 36191 circuits open. I've sent 3686.92 GB and received 3646.75 GB.
> Dec 20 16:00:08.000 [notice] Circuit handshake stats since last time: 160437/160437 TAP, 5003782/5003782 NTor.
> Dec 20 16:00:08.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 1 v3 connections, and 102511 v4 connections; and received 2151 v1 connections, 29819 v2 connections, 46331 v3 connections, and 683484 v4 connections.
> 
> Next time during the weirdness:
> Dec 20 22:00:08.000 [notice] Heartbeat: Tor's uptime is 5 days 5:59 hours, with 233634 circuits open. I've sent 3908.13 GB and received 3832.44 GB.
> Dec 20 22:00:08.000 [notice] Circuit handshake stats since last time: 564576/564576 TAP, 18285622/18285622 NTor.
> Dec 20 22:00:08.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 1 v3 connections, and 107666 v4 connections; and received 2309 v1 connections, 31585 v2 connections, 49188 v3 connections, and 711324 v4 connections.
> 
> Note that the number of circuits have gone up from a relatively normal number, 36191, to a massive 233634. Definitely not normal.  And this is with my connection limits in place in the iptables.
> 
> The tor process now uses about twice as much CPU as normally.
> 
> I think the attacker has found a new way "in".

Incoming connection limits aren't entirely effective against this attack,
and never were. We're working on other mitigations.

T

--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
------------------------------------------------------------------------

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays