[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] Exit relay operators: a call for packets on port 8118
On Mon, 22 Jul 2013, Zack Weinberg wrote:
The CMU Tor exit is seeing about 66 packets/second worth of this
(10000 packets, 1151 unique IPs in 149.5 seconds). I don't have time
to dig any deeper right now, but on the theory that it's a botnet
doing click fraud, I'll pass this along to our cybercrime people.
If this clickfraud bot consumes a thread per connection, it may be possible
to overwhelm its available resources by taking as long as possible to answer
its requests, known as a tarpit or teergrube.
The kernel-based tarpit I wrote years ago (ipt_TARPIT) would only hold these
for a few minutes, so I experimented with getting NginX to reply as slowly
as possible using its rate-limiting, and was able to capture and hold open
105,000 connections to port 8118 from 1500 different IPs. However, NginX
has a lower bound of one byte per second out of the box, which with TCP
packet overhead consumed more bandwidth than I was willing to offer.
I then wrote a simple Go-based HTTP tarpit, which seems to also be effective
at capturing a bunch of connections; I'm back up to to 22,000 and very
slowly rising.
If anyone else feels like playing with this, feel free to grab
http://www.die.net/tools/http-tarpit/http-tarpit.go and install a Go
compiler from http://golang.org/doc/install. Build with "go build
http-tarpit.go" and then run "./http-tarpit" as a non-root user.
Be careful if you are tight on RAM; it seems to eat a few hundred megs per
10,000 concurrent connections. I haven't tried to optimize this at all.
-- Aaron
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays