[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Guard node suddenly sending twice what it receives

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Guard node suddenly sending twice what it receives
From: teor <teor2345@xxxxxxxxx>
Date: Thu, 21 Dec 2017 09:00:08 +1100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 20 Dec 2017 17:00:32 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=DYKerYSdvYVDPzY+X/r96GGhPFAPSPmRMVV1rSCW8gw=; b=LW123ZihENWztx68hN7E5xXV0xYjgDYkxn54SfAi5eYC+u8uV5pwMquHUoKEi67TUK fLAqml+5hVO3GtXqhGkw36+56dYVlSpXq3/VdItV0KGY/Qz9Cg7gYGkZzthpS89fQ9UC dpkvzLMHV3JPdqdLwb263e2F2oI6tlj3fJM7ZGG2+Zqp0SJyO956X20CEQfxyfHOu8n+ Xn9eiGKMWoSHORRAEYWuj4+Yr9A2BBfHQkv7kF+xZpLKKdIAsz/4MMilOMhAn8mxzWBr 3wVHQCKjKoJXq7tEM2CwEgnf0lH5UUow4DUXPiAv7+HG5udWAk5QU0qZo3QJUISWkTq3 kx6Q==
In-reply-to: <eme77a5de9-b52e-45d1-8142-517f00857eac@mats-win7>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <emf63ee07a-8e88-4b82-9961-d1c2412505ab@mats-win7> <2648C333-A118-4DF2-8259-ADEC7EA59CC3@gmail.com> <eme77a5de9-b52e-45d1-8142-517f00857eac@mats-win7>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

> On 21 Dec 2017, at 08:57, Logforme <m7527@xxxxxx> wrote:
> 
>> Check the logs, but they won't tell you much, and that's deliberate.
>> 
> So I checked the tor log.
> 
> First part is before the "weirdness":
> Dec 20 16:00:08.000 [notice] Heartbeat: Tor's uptime is 4 days 23:59 hours, with 36191 circuits open. I've sent 3686.92 GB and received 3646.75 GB.
> Dec 20 16:00:08.000 [notice] Circuit handshake stats since last time: 160437/160437 TAP, 5003782/5003782 NTor.
> Dec 20 16:00:08.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 1 v3 connections, and 102511 v4 connections; and received 2151 v1 connections, 29819 v2 connections, 46331 v3 connections, and 683484 v4 connections.
> 
> Next time during the weirdness:
> Dec 20 22:00:08.000 [notice] Heartbeat: Tor's uptime is 5 days 5:59 hours, with 233634 circuits open. I've sent 3908.13 GB and received 3832.44 GB.
> Dec 20 22:00:08.000 [notice] Circuit handshake stats since last time: 564576/564576 TAP, 18285622/18285622 NTor.
> Dec 20 22:00:08.000 [notice] Since startup, we have initiated 0 v1 connections, 0 v2 connections, 1 v3 connections, and 107666 v4 connections; and received 2309 v1 connections, 31585 v2 connections, 49188 v3 connections, and 711324 v4 connections.
> 
> Note that the number of circuits have gone up from a relatively normal number, 36191, to a massive 233634. Definitely not normal.  And this is with my connection limits in place in the iptables.
> 
> The tor process now uses about twice as much CPU as normally.
> 
> I think the attacker has found a new way "in".

Incoming connection limits aren't entirely effective against this attack,
and never were. We're working on other mitigations.

T

--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
------------------------------------------------------------------------

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Guard node suddenly sending twice what it receives
  - From: Logforme
- Re: [tor-relays] Guard node suddenly sending twice what it receives
  - From: teor
- Re: [tor-relays] Guard node suddenly sending twice what it receives
  - From: Logforme

Prev by Author: Re: [tor-relays] Become a Fallback Directory Mirror
Next by Author: Re: [tor-relays] botnet? abusing/attacking guard nodes
Previous by thread: Re: [tor-relays] Guard node suddenly sending twice what it receives
Next by thread: [tor-relays] Become a Fallback Directory Mirror
Index(es):
- Author
- Thread