Is there currently a major DDOS affecting the network's availability?

Support
1

I’ve used Tor and Tor Browser on a regular everyday basis for the last few years, and I know there is always natural fluctuating variance in the network’s performance at different times. But for the past several days or so, 90% of page-load attempts time out, and the 10% that succeed take the better part of a minute to finish, contrasted with fewer than ten seconds under normal circumstances.

Nothing has changed in my local configuration, and I don’t see anything mentioned at https://status.torproject.org/ , but something is definitely noticeably different at present in terms of network availability and/or load.

Is anything specific known about this?

2 Likes
2

Same here.
Log file has been flooded with this message since yesterday.

[warn] Possible compression bomb; abandoning stream.

2 Likes
3

I can confirm. Tor network is working extremely slowly these days. I think it is kind of massive DDoS attack against Tor relays.

Tor has been working very slowly for two weeks already. Any ideas how to fix it? We need to improve the protection against DDoS attacks on Tor relays.

2 Likes
4

UPD 05/10/24:

Users are still reporting about the issues with Tor network. Tor networking speed has become very slow.

Reddit (r/TOR community):

https://www.reddit.com/r/TOR/comments/1cnmsdz/tor_extremely_slow_lately/

Whonix Forums:

I guess it’s either a bug in Tor or a kind of attack against Tor infrastructure.

1 Like
5

I’ve been experiencing overload on both my relays, which is not the usual. Running 2 relays on 4 cores and 8GB of RAM. RAM is not an issue but CPU load is usually at 60%. These last days it’s been over 80-85%, getting warnings from time to time about my computer not being able to hold that many circuits for long.

Over a span of 20 days uptime:

06:08:12 [NOTICE] Heartbeat: DoS mitigation since startup: 1.078 circuits killed with too many cells, 60.081.539 circuits rejected, 751 marked addresses, 6 marked addresses for max queue, 88 same address concurrent connections rejected, 0 connections rejected, 1.633 single hop clients refused, 479 INTRODUCE2 rejected.

06:08:16 [NOTICE] Heartbeat: DoS mitigation since startup: 1.151 circuits killed with too many cells, 40.438.538 circuits rejected, 727 marked addresses, 1 marked addresses for max queue, 883 same address concurrent connections rejected, 0 connections rejected, 1.244 single hop clients refused, 0 INTRODUCE2 rejected.

I’ve considered about further configuring my relays in order to handle a higher capacity, but I’m not sure it’s the right thing with just 4 cores.

2 Likes
6

I just started noticing it in the last 2-3 days. That’s why I came here today actually. I’m only getting 100-200KB/sec most of the time, where I usually get 1-2MB/sec, and a lot of connections are getting dropped prematurely.

Long-term DDoS’s like this have been happening once or twice a year for the past several years now it seems like. Tor Project has been implementing mitigations but attackers keep discovering new weaknesses. It’s a game of cat and mouse, I guess.

2 Likes
7

A massive DoS attack against Tor relays is confirmed.

1 Like
8

I’m not a heavy Tor user but have noticed a slowdown lately.

Any idea by whom and for what purpose? A state player or just a trouble maker?
Even some sort of a conspiracy theory idea.

The one which comes to mind is the Sniper Attack:

Is this it.

1 Like
9

Tor network is still very slow. A DDoS attack is still being performed.

Too difficult to implement. I guess it’s just an ordinary TCP SYN flood attack from outside of Tor. There was an issue here some years ago:

A relay operator discovered many incoming connections to his relay from Hetzner AS. He set up his relay on top of Windows OS though.

I think that Tor relay operators should set up their relays under FreeBSD and set up firewall rules as it described here:

Also they should turn on SYN cache which is available on FreeBSD but not on Linux.

https://man.freebsd.org/cgi/man.cgi?query=syncache&sektion=4&manpath=FreeBSD+14.0-RELEASE+and+Ports

2 Likes
10

Well, 05/16/24 and Tor network is still under a massive DDoS attack. Users are still reporting about issues with Tor slowdown:

https://www.reddit.com/r/onions/comments/1cr0g1t/tor_is_slow_asf_randomly/

I signed up to this forum because I don’t know how to create a bug report in Tor repository and I also don’t have a Gitlab account. It seems like Tor Project team leader is here. Are we going to do something in order to stop this DDoS attack? May be we should initiate an another Tor Relay operators meetup and ask relay operators to set up firewall rules against DDoS? I would like to receive a feedback from Tor Project developers. Thank you.

1 Like
11

Here you can request an account for torprojects gitlab. https://gitlab.onionize.space/

Do you run a relay?

1 Like
12

image
image1204×716 18.9 KB

Onion versions of websites have become completely unusable. They just time out or do not connect at all. It’s weird that the status page doesn’t mention any issues when such a critical part of Tor is broken.

2 Likes
13

Are you running relays? If so, which ones?

2 Likes
14

FWIW, the data of this graph is from two days ago, so this network health event might have changed.

However, if the slowness is related to onion services, there is nothing that relay operators can do.

Onion services operators are strongly advised to enable Proof-of-Work: Proof Of Work - The Onion Services Ecosystem and monitor it: Proof Of Work - The Onion Services Ecosystem.

2 Likes
15

I use Tor to evade my school censorship and currently i cant acess onion sites at all and google takes like 1m to load( it might be my school network too or my bridge)

1 Like
16

Tor worked just perfect yesterday. Today it is a slowdown again but it’s still faster than it was 4-5 days ago.

It’s because a DoS attack is being performed against Tor intermediate relays first of all. It makes Onion v3 services completely unusable and causes a huge slowdown when Tor users are trying to connect to clearnet websites.

4 Likes
17

You quoted my topic from 2 years ago. Attack stopped since then.
I removed my firewall rules and saw no excessive connections for about 1 year.

But today abnormal amount of connections appeared again.
Here is the list of addresses which I collected so far (there may be false positives!):

IPs with large amount of connections 
5.9.74.4
5.39.222.136
5.39.222.247
5.39.223.34
5.79.68.38
5.79.68.50
5.79.68.54
23.88.5.247
31.207.47.59
31.207.47.88
31.207.47.104
31.207.47.112
37.27.54.252
37.27.57.244
37.27.61.252
45.14.135.222
45.82.67.18
45.143.196.107
45.143.196.109
45.143.196.111
45.143.196.117
45.143.198.198
45.143.199.47
46.17.96.112
46.17.102.146
46.17.102.166
46.17.103.119
65.21.8.165
65.21.8.172
65.21.20.181
65.21.20.184
65.21.20.185
65.21.22.102
65.108.74.162
65.109.77.41
66.151.34.171
66.151.41.108
66.151.41.109
66.248.204.179
66.248.205.48
66.248.205.158
80.79.4.195
81.16.176.157
81.16.176.165
81.16.176.178
81.16.177.207
81.16.177.234
81.16.177.235
85.17.77.33
85.17.196.105
85.17.202.117
89.38.97.225
91.103.255.133
91.103.255.218
91.103.255.219
91.103.255.232
91.103.255.233
91.103.255.247
91.103.255.250
91.208.92.49
93.190.142.149
94.46.223.52
94.46.223.55
94.46.223.57
94.46.223.58
94.46.223.59
95.217.150.116
95.217.150.119
109.236.91.2
109.236.94.13
135.181.228.107
135.181.228.231
135.181.231.176
135.181.232.242
135.181.238.186
135.181.238.235
135.181.239.110
135.181.240.86
139.60.161.46
139.60.161.73
139.60.161.253
139.60.162.18
139.60.162.34
139.60.162.85
139.60.162.88
139.60.162.90
139.60.162.92
142.132.133.101
142.132.199.155
144.76.17.124
144.76.74.12
146.0.74.12
146.0.74.13
146.0.74.17
146.0.74.113
146.0.74.205
146.0.74.213
146.0.74.222
146.0.74.223
146.0.74.224
146.0.74.225
146.0.74.226
146.0.74.227
146.0.74.228
146.0.74.229
146.0.74.231
148.251.48.254
156.67.62.10
156.67.62.11
156.67.62.13
156.67.62.25
156.67.62.28
156.67.62.29
162.55.132.46
175.110.112.54
175.110.112.55
175.110.112.99
175.110.112.169
175.110.115.57
176.9.24.227
176.9.124.170
178.132.5.32
185.70.186.144
185.70.186.152
185.70.186.156
185.70.186.157
185.70.186.205
185.70.186.208
185.84.224.113
185.84.224.149
185.100.235.13
185.100.235.143
185.130.226.17
185.130.226.33
185.130.226.67
185.130.226.83
185.130.226.108
185.130.226.201
185.130.227.23
185.130.227.184
185.130.227.230
185.165.240.205
185.177.124.30
185.177.127.84
193.84.3.7
193.84.3.25
193.84.3.26
193.84.3.27
193.84.3.30
193.84.3.93
193.84.3.193
194.88.104.4
194.180.188.64
194.180.188.68
194.180.188.69
194.180.188.75
194.180.188.78
212.8.248.33
212.8.249.162
212.32.251.82
212.237.217.46
212.237.217.88
212.237.217.90
212.237.217.97
212.237.217.106
212.237.217.107
212.237.217.219

Most likely, attack reappeared weeks ago, but I wasn’t able to see it since for about 2 month my relay had no Guard flag and only week ago Guard flag was obtained again. So I think it may mean that attackers aim mainly at Guards.

3 Likes