[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] CPU saturation attack/abuse

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] CPU saturation attack/abuse
From: Dhalgren Tor <dhalgren.tor@xxxxxxxxx>
Date: Sun, 4 Mar 2018 18:41:49 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 04 Mar 2018 13:42:05 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Cq2VrxQ64MvS5pYRC7QzqTXYvKMNpsTF0XuoRUMDBow=; b=BqtebJfwhCeauEMymWu8J1lGFJnH3bFnvLVhHva3ZQiyrUV6xfXOxouRgqr3bYQ/ZL yRZhy95/vy3p/yMgXXNipCOkYWJFbprg4BOD4neOuYt6N6y7UPl+GKJ3WMAv+QqJ6c6X q7Jn+axmi56Zhi6VEkj4w8vJ/NsQl9l04M0ZjzByNfs407vNupPq9qRElCLImoufP5iB 9Jj0Z2IxuPtOfpETAgoX7/mBdCD6ik9rgVCbZJSA5URSxlPgXLAxA8HYLzwIE6jGoKTa e+ljQf9Kho44odIKLkFxSVxJGYtJOLssiauA3sStdsg393F7T5Aa66f6kUWlopw0ghGq LIlA==
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Upgraded exit to 0.3.3.3 and now seeing a curious CPU saturation
attack.  Whatever the cause, result is the main event-worker thread
going from a normal load level of about 30%/core to 100%/core and
staying there for about 30 seconds; then CPU consumption declines back
to 30%.  Gradual change on ascent and decent.  Another characteristic
is egress traffic slightly higher than ingress traffic, perhaps 3-4%,
where normally egress and ingress flows match precisly.  Checked
browsing via the node and performance seems fine--no obvious
degradation.  Elevated NTor circuit creation rates as-of the last
heartbeat, from roughly 300k to 700k per-report, but not extreme (at
least in a relative sense since late December).

Anyone else observed this?  Have any idea how the attack works?

Captured a debug-level log of a cycle from normal load to
full-on-attack but won't have time to analyzed it for a couple of
weeks.
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] CPU saturation attack/abuse
  - From: Toralf Förster

Prev by Author: [tor-relays] running relay excluded from votes
Next by Author: Re: [tor-relays] CPU saturation attack/abuse
Previous by thread: Re: [tor-relays] One pubblic IP, two or more relay on different ports
Next by thread: Re: [tor-relays] CPU saturation attack/abuse
Index(es):
- Author
- Thread