[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Fwd: Handshake flood now on NTor



A correction to my posting below. With reference to what GLOBE says about my relay, I meant to say "mean written bytes" (mean bandwidth?) is 1.84 kB/s while "mean read bytes" is 1.62 kB/s".

Q
---------- Forwarded message ----------
From: Tor Stuff <tor.geheimschreiber@xxxxxxxxx>
Date: Mon, Sep 8, 2014 at 1:48 PM
Subject: Re: [tor-relays] Handshake flood now on NTor
To: tor-relays@xxxxxxxxxxxxxxxxxxxx


I have a related question. I have recently built my first Tor relay (ORPort 443, DirPort 80, NOT Exit) with both the bandwidth and burst limits set to 100KB/s.

It has been running for less than 3 days. During that time I have been monitoring it with 'arm' and on GLOBE and notice a number of things that I cannot reconcile:

1. The 'arm' download total ALWAYS exceeds the upload total. As a percentage of the upload total the difference is 5%-6%. There are NO unsuccessful handskakes recorded.

2. The bandwidth graph provided by 'arm' is headed: "Bandwidth (limit: 800 Kb/s, burst 800 Kb/s, measured: 152.0 b/s):". It is the "measured: 152.0 b/s" that has me scratching my head! What does that value represent? Note that 'arm' tells me that average bandwidth usage (up and down) is well over 10 Kb/s with instantaneous usage of more than 50 Kb/s at times.

3. Possibly related to 2) above, I ALWAYS seem to have more inbound connections than outbound connections.

BUT in contradiction to the above, GLOBE says that for the 3-day period monitored, "written bytes" (bandwidth?) is 1.84 bB/s while "read bytes" is 1.62 kB/s. That is, upload bandwidth is greater than download bandwidth. That seems to me more reasonable than what 'arm' is saying as my relay is willing to upload directory info.

Q

On Mon, Sep 8, 2014 at 6:58 AM, Joel Cretan <jcretan@xxxxxxxxx> wrote:
I observed something similar today. It was basically as you described for the previous cases you observed, where there was a storm of about 10 times more TAP handshakes than usual. My middle relay is pretty small, limited to 1.1Mbit/s, and until this point it wasn't even saturating that. Then this storm came in and saturated it for less than half a day, and then it stopped. My consensus weight went up during this time, so there is a higher level of residual traffic now than before it started, but the extreme event seems to done. It's strange to me that during the storm, the downstream traffic was much greater than the upstream. Any idea what could have been going on during that time? Why would my relay be receiving a bunch of data that it didn't pass on? The discrepancy seems to be too high for it to downloading directory information.

The fingerprint is 7552CA84FB125059DC2959A6BE01A6A8107B3523 and here are the log entries from before, during and after:

Sep 06 13:40:04.000 [notice] Heartbeat: Tor's uptime is 11 days 18:00 hours, with 34 circuits open. I've sent 3.52 GB and received 3.52 GB.
Sep 06 13:40:04.000 [notice] Average packaged cell fullness: 96.735%
Sep 06 13:40:04.000 [notice] TLS write overhead: 6%
Sep 06 13:40:04.000 [notice] Circuit handshake stats since last time: 1948/1949 TAP, 645/645 NTor.

Sep 06 19:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 0:00 hours, with 878 circuits open. I've sent 3.64 GB and received 3.65 GB.
Sep 06 19:40:04.000 [notice] Average packaged cell fullness: 95.657%
Sep 06 19:40:04.000 [notice] TLS write overhead: 7%
Sep 06 19:40:04.000 [notice] Circuit handshake stats since last time: 16759/16957 TAP, 540/540 NTor.

Sep 07 00:12:04.000 [notice] New control connection opened.
Sep 07 00:25:03.000 [notice] New control connection opened.
Sep 07 00:31:42.000 [notice] New control connection opened.
Sep 07 01:14:06.000 [notice] New control connection opened.
Sep 07 01:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 6:00 hours, with 161 circuits open. I've sent 4.03 GB and received 4.51 GB.
Sep 07 01:40:04.000 [notice] Average packaged cell fullness: 93.753%
Sep 07 01:40:04.000 [notice] TLS write overhead: 7%
Sep 07 01:40:04.000 [notice] Circuit handshake stats since last time: 36498/611731 TAP, 832/867 NTor.

Sep 07 07:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 12:00 hours, with 24 circuits open. I've sent 4.44 GB and received 6.22 GB.
Sep 07 07:40:04.000 [notice] Average packaged cell fullness: 93.604%
Sep 07 07:40:04.000 [notice] TLS write overhead: 8%
Sep 07 07:40:04.000 [notice] Circuit handshake stats since last time: 27191/1548070 TAP, 1261/1353 NTor.

Sep 07 13:34:25.000 [notice] New control connection opened.
Sep 07 13:40:04.000 [notice] Heartbeat: Tor's uptime is 12 days 18:00 hours, with 19 circuits open. I've sent 4.61 GB and received 6.38 GB.
Sep 07 13:40:04.000 [notice] Average packaged cell fullness: 93.745%
Sep 07 13:40:04.000 [notice] TLS write overhead: 8%
Sep 07 13:40:04.000 [notice] Circuit handshake stats since last time: 1803/1803 TAP, 385/385 NTor.




On Tue, Sep 2, 2014 at 11:28 AM, Jobiwan Kenobi <helpme.jobiwan@xxxxxxxxx> wrote:
Hi,

For about 15 hours straight, my relay was being hammered by
connections/handshakes.

I see lots of these:

Sep 02 01:03:02.000 [warn] Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy. [70638 similar message(s) suppressed in last 60 seconds]

Numbers vary between 30000 and 80000 per 60 seconds.

Also the occasional clock jump message and other performance related
messages, and of course, _lots_ of unsuccessful handshakes:

Sep 01 22:31:26.000 [notice] Circuit handshake stats since last time: 5038/5038 TAP, 17771/17773 NTor.
Sep 02 04:31:26.000 [notice] Circuit handshake stats since last time: 3100/3484 TAP, 465565/5417818 NTor.
Sep 02 10:31:26.000 [notice] Circuit handshake stats since last time: 3139/4249 TAP, 679872/8244698 NTor.
Sep 02 16:31:26.000 [notice] Circuit handshake stats since last time: 3884/5294 TAP, 502835/10443735 NTor.

It is a low spec machine.

I've been through episodes like this before, but this time it's
different:

- They are NTor handshakes, where before they would be TAP
 handshakes.
- The amount of up and down traffic is pretty balanced, where before
 I would get much more down than up during these floods.
- In case it matters: I am now running 0.2.4.23, before I was on
 0.2.4.18-RC


It stopped about 4 hours ago. Running normal now.

-Job

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays