Re: [tor-relays] Recent wave of abuse on Tor guards

Subject: Re: [tor-relays] Recent wave of abuse on Tor guards

From: "Stijn Jonker" <sjcjonker@xxxxxx>

Date: Fri, 22 Dec 2017 17:37:50 +0100

Delivery-date: Fri, 22 Dec 2017 11:38:21 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sjc.nl; h= content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=b9r6aj0r98k+FTD2a25LQqt0wzwFn aWgTXWqNi0j4I0=; b=i0LzXP0O1MSpwAHaFDbaJ88gfvUL6w9PXvma8ElG2sbMQ 29r/WvpGsTOv3ooaD8rgnGdsMQacUG6SEeABVUJwy9SspMuhi/PJNGIdhbmfAOYL xBBFedHU1ux0rK+HzNBt+R8fk2JaT6qFbI6C50sEdYSsWHLiPYTaLxSHgSV9docP ZQkHrE3Xv+ilUbk1cuGcSzFLcFtbsgI5RlYAwJZff4pYDwfhuOmW/st5ThgUy51Y itr/DtjaOXKk0HU0OEOfvJs8iChI7ZSyzGDQgFsiwTZc0pr6pL6do6NxEiWpKNYv ZXZxBU1h2omR4ceEfSJJrGIzJxGy9X5lUhbxA2qHQ==

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=b9r6aj 0r98k+FTD2a25LQqt0wzwFnaWgTXWqNi0j4I0=; b=XKHf2CsqkZ5unNSf9ID/tu cmje5juRjLomcBY09tjpPpwYPMwUvCr5SMUvRenus/b0va+jFWCDWdvvcA6nwt34 b7n1GDLPICE/b44/hwQ+nEPVhYqkUbjTyxkgZzGPzS6/PpUW2p3lSEbiZ5BTyK8B 99hFC64aPHmvAfu12G10mjvYlOsekXAKpqJLRAUBRBL1jf77doFm2w1G/zPEdHLG SCG045w/cbScoyx88PrtlaEmng4g3GXbipASK0/hIcKonT57+t3okL8CGhr34nzf JlBl3Onph4shLiuhn7aNFrOwAps3GOujjavgXmI+HQcLxr2Bnms6/T3YDdRDl71Q ==

In-reply-to: <CA+CX+bj0o286iNDrPnjNhCB=furvY5GgU12Xvj=52U20jXJOig@mail.gmail.com>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <8f01df569672b279b6951fe63992744e@wardsback.org> <20171221194246.5c635ec2.mbm@rlogin.net> <5A3C2393.5090005@quantentunnel.de> <20171221230855.GD5371@moria.seul.org> <CB75BF06-8B6F-401A-811C-25A4C3195624@gmail.com> <8A10419F-342B-49AF-A36C-D73641D800CC@to-surf-and-protect.net> <5A3CB752.8060900@quantentunnel.de> <A5F090B0-5685-40BE-B490-A631B7AF63AE@to-surf-and-protect.net> <CAP=GaWq1VknMxXULTP+ebJKo9yQqQ7JqSrZo9W-rFfcEhnm0xQ@mail.gmail.com> <EFB1DEF6-8843-43FB-ABF1-EDDDCBCF2F05@to-surf-and-protect.net> <CAP=GaWqeQ_eW5hqLOoa=ga1v0EG1MuY1xCZTWT6mECA00spj6w@mail.gmail.com> <CA+CX+bj0o286iNDrPnjNhCB=furvY5GgU12Xvj=52U20jXJOig@mail.gmail.com>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

All,

Just adding 0.02c; from the hosts going above 24 connections (my FW limit), the ASN's involved seem to focus on:
5 LEASEWEB-USA-WDC-01 - Leaseweb USA, Inc., US
18 OVH, FR
25 LEASEWEB-NL-AMS-01 Netherlands, NL

That's 48 from the 72 IP's exhibiting this behaviour. Whereby the leaseweb ones are consecutive IP's.

Careful not to share IP's here :-)

All seen from the perspective of SJC01 / 328E54981C6DDD7D89B89E418724A4A7881E3192

Stijn

On 22 Dec 2017, at 16:49, Pascal Terjan wrote:

I got also 17 from ovh (under ip-54-36-51.eu) and plenty of
leaseweb.com (didn't count) too but no your-server.de

The OVH ones were interestingly 2 (nearby) consecutive blocks of 4 and
13 IPs (and are not relays)

On 22 December 2017 at 15:23, Tyler Johnson <tylrcjhnsn@xxxxxxxxx> wrote:

Every IP I was checking through Atlas which are part of the mentioned hosts
were NOT relays, all client connections.

On Dec 22, 2017 9:20 AM, "niftybunny" <abuse@xxxxxxxxxxxxxxxxxxxxxxx> wrote:

Thats “only” “relays” with multiple connections to your relay?
Interesting to see Hetzner there …

Markus

On 22. Dec 2017, at 16:14, Tyler Johnson <tylrcjhnsn@xxxxxxxxx> wrote:

Out off 133 IPs blocked with my rather aggressive firewall ruleset:

leaseweb.com - 26
your-server.de - 66
ip-54-36-51.eu - 17

That was in < 24hrs.

On Dec 22, 2017 3:38 AM, "niftybunny" <abuse@xxxxxxxxxxxxxxxxxxxxxxx>
wrote:

Short answer:

https://i.imgur.com/8QLptcz.png

Around 15000 - 18000 connections I can see with netstat. Even my 300 mbit
exit has less and there a a lot of Leaseweb clients connecting to me ...
The interesting thing is, it comes and goes in waves. From 6000 (normal)
to 20000 connections within an hour.
Someone doesn't like me very much :(

Markus

On 22. Dec 2017, at 08:42, Felix <zwiebel@xxxxxxxxxxxxxxxx> wrote:

Am 22-Dec-17 um 08:25 schrieb niftybunny:

Still under heavy attack even with the MaxMemInQueues and 0.3.2.8-rc. I
need 2 xeons to push 30 mbit as a guard/middle …

Do you want to share some information:

Type i)
(memory exhaustion by too many circuits)
What is the memory(top) per tor and its MaxMemInQueues ?
How many circuits per hour in log ?

Type ii)
(cpu exhaustion by too many 'half open' tor connections)
Is your number of open files normal (fw in place) and moderate
connection counts per remote IP ?

Type iii)
(One fills your server with too many long fat pipes, first ACK and RTT)
If on Freebsd, is "mbuf clusters in use" (netstat -m) moderate ?
Do you get "kern.ipc.nmbclusters limit reached" in messages ?

--
Cheers, Felix

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays