[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Relay DDoS attack?



Hi!

I've been running a Tor non-exit node at my business for a few months now. So far it's been great! Except yesterday when I noticed my internet was at a crawl. I traced the problem back to a large number of inbound connections that completely overwhelmed my little router. (4096 connections, the configured limit) All the connections were being made to my tor relay from outside IPs. The tor log file was filling with this:

Oct 13 14:21:29.000 [warn] assign_to_cpuworker failed. Ignoring.
Oct 13 14:21:29.000 [warn] assign_to_cpuworker failed. Ignoring.
Oct 13 14:21:30.000 [warn] Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy. [1779 similar message(s) suppressed in last 60 seconds]

I shutdown the relay, then eventually disconnected my internal network from the router hoping the traffic would slow. It continued for maybe another 2-3 hours until I finally unplugged the router and left for the weekend.

I was able to capture some of the traffic and found most of it originated from other tor (non-exit) relay nodes. In a 5 minute sample there was some 170,000 syn packets sent by some 4000+ unique IPs. I used a script to check the collected IPs against the list of known tor nodes and they're almost all tor (non-exit) relays.

Hopefully it auto-fixes itself when I'm back at work Monday morning. But mostly I'm curious to know what's going on. Anybody encounter a situation like this?

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays