Re: [tor-relays] We need to talk about the latest DDoS affecting the Tor network

Subject: Re: [tor-relays] We need to talk about the latest DDoS affecting the Tor network

From: carlos1001 <tor-relay-admin@xxxxxxxxxxxxxx>

Date: Sat, 25 May 2024 01:20:38 -0700

Delivery-date: Sat, 25 May 2024 09:52:57 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=carlos1001.com; s=20220510; t=1716625240; bh=N74ftKFyJh2nDuyUMFb/ryE3yIaJZLNyKsxPfk1M1Eo=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=XvxtZ5nfu6MZaHkO95HUX9skxdJg+7NWtbB6nqU6FqvEpkS4fUmQuJ9zgEipjpdWj bOHkwfW6wxd5usRfYfHODSvGidE8cMVw3HOE3WH5nrzrtIti6uUPEDft55Usv/Uok5 nvK1QRJUfduKWTysXf32ix1zrnGErqyLDFmpPLrbefDyC5O4fCnnWl3p6PDUG1rFb+ XV8ondMWbcV8u5C1Se2NDLnn4lCBkolsETerfJ51aLnZU9fGpQkT6/7TKzxyBwN4WJ GFNlDbHDAgy6V3nr4KsvqWa6VJwYV2nqYsAxNwBtpNlJA+QOC5IurzLr3wMogXusgs n57LKcYKl86vQ==

In-reply-to: <hzinZjPXHQPmKU7zKdD36FPfEhiue_YOIlbOb-1KEYGZBvRAmLsX7Oedak52VVn7q1yPVEO8-tYrWKP5505Q9ijvQWnpAjp4RwvgvBM1KzU=@proton.me>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <hzinZjPXHQPmKU7zKdD36FPfEhiue_YOIlbOb-1KEYGZBvRAmLsX7Oedak52VVn7q1yPVEO8-tYrWKP5505Q9ijvQWnpAjp4RwvgvBM1KzU=@proton.me>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

User-agent: Mozilla Thunderbird

Hi, yes, I think there is a form of DDoS happening, but I'm not sure. For example, sampling one of my relays shows ~150 ips that are not relays with over 14 connections currently. I don't think that amount of connections from a single IP makes a lot of sense.

I will say, however, I'm not getting overloaded as bad compared to last year/late 2022, or I don't think I am at least. Banning IPs that appear to be spamming `connect()` helps a bit. Also banning malformed tcp segments also helps a bit (think impossible combinations of TCP flags for example).

On 5/16/2024 2:39 PM, koizoi via tor-relays wrote:

For several weeks now, users have been complaining (see https://www.reddit.com/r/TOR/comments/1cnmsdz/tor_extremely_slow_lately/, https://forum.torproject.org/t/is-there-currently-a-major-ddos-affecting-the-networks-availability/12492, etc) about degraded performance (slow speeds, timeouts) when using Tor, both to access v3 onion sites and clearnet websites. In my personal experience, most v3 onion services are responding so slowly that they're completely unusable.

it turns out that's it not just people's imaginations, looking at charts on metrics.torproject.org, it can be seen that the time to complete a 5MiB request over Tor has increased substantially (https://ibb.co/tp1CHdh). All of this is very reminiscent of the large scale DDoS that affected Tor relay nodes in 2022-2023.

Tor relay operators have reported "attacks" on their relays, but there haven't been many details about what kind of attacks are taking place, other than some people saying that they have been TCP SYN flooded. But (to me, anyway) SYN flooding doesn't really make a lot of sense as there are so many Tor relay nodes that would need to be attacked, (and misconfigured to allow a SYN flood attack to work), and even if it were a SYN flood, that would cause different behavior than what users have been seeing (preventing connections to the Tor network rather than slowing them down).

I understand that DDoS attacks on the Tor network might be kind of a touchy subject, but it would be good if we could get some information from the project leadership as to what's going on, what is being done about it, and what Tor relay operators can do to help prevent attacks like these from happening.

Thanks

Sent with Proton Mail secure email.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays