Re: [tor-relays] Pretty sure our exit was being synflooded

Subject: Re: [tor-relays] Pretty sure our exit was being synflooded

Date: Mon, 27 Nov 2017 08:17:53 +1100

Delivery-date: Sun, 26 Nov 2017 16:18:15 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:date:subject:message-id :references:in-reply-to:to; bh=GGoPij59400mhJbqpEu69Q85NsFT5tyELzgJc9Wlw90=; b=gvW/K55wlW6mYuALidDk9Yw2BemHyUAt8GGRiKfpqTTSB2VDJhNq1Ev/16pVWHlDdR 2BcPz6cZ3PxlNtjJ0Z7f7EDWY5DbFTppHF+CV8de0dsCy8fsBa9G7zrI/5VU74T2fRWC /6Y45B1Gx5s3pZlCMhD4spwJHgwLQGaL6KilZD13bafmBQd1C/0k+a7j/2/7HAAt3t32 u9Oj7RW2bzXEl45k/islF5Uh9xsSd0r3BvGkPTXvFvbcxWdOO2uWMqowLTLvhy3RCb04 CunpEOJUJggMXwVyHmgoKypxz5y2HxRzeESmm6eNBOblMinPlvf8BeAo7UWsF7RH3HiX 2J+A==

In-reply-to: <5a1af2fb.77ad.7a969700.3722c8e1@t-3.net>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <5a1af2fb.77ad.7a969700.3722c8e1@t-3.net>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On 27 Nov 2017, at 03:59, tor@xxxxxxx wrote:

I spoke too soon, it seems - the exit is struggling again, with some time spent destroyed today.

As I look at what it's doing, it's clear that someone is relaying SYN packets

It's not possible for Tor clients to relay SYN packets: a RELAY_BEGIN

cell from a Tor client asks an exit to attempt to open a TCP connection

from that exit to a remote destination. If the TCP connection fails, a

response is sent back to the client.

to random ports and also random destination addresses that aren't even alive. The destination hosts and ports continually vary - it never hits multiple destinations on 1 port, and it does not hit multiple ports on 1 host. I presume it is an attack that is intended to degrade this relay's service quality, or otherwise more broadly, degrade Tor.

Have you tried adjusting your kernel parameters to recycle

local ports more quickly?

Do you have a separate IP address you can use for exit

connections, using OutboundBindAddressExit?

I'm going to reject a few more trojan listen ports, it might help but it isn't a real fix.

Have you tried one of the reduced exit policies?

https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy

If you have, I suggest you reduce your exit policy down to a few

high-traffic ports. 80 and 443 are essential to support web

browsing. Other ports are nice, and you can experiment with

restoring them over time.

My thought btw was for Tor to rate-limit syn scanning activity between the client and the first onion router, with the function taking place in that first-hop router, not at the exit.

This isn't how Tor works: clients send RELAY_BEGIN cells to open

streams at exits, and these cells are encrypted at the guard.

Exits could rate-limit the number of streams per circuit (or the

number of stream requests), but this would only help if the

client is using the same circuit for its streams. And Guards

could rate-limit circuits. But this would be a long-term fix,

requiring code changes.

(Exits can't rate-limit per client, because Tor's design makes sure

Exits can't identify clients.)

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays