Re: [tor-relays] We need to talk about the latest DDoS affecting the Tor network

Hi, yes, I think there is a form of DDoS happening, but I'm not sure. For example, sampling one of my relays shows ~150 ips that are not relays with over 14 connections currently. I don't think that amount of connections from a single IP makes a lot of sense.

I will say, however, I'm not getting overloaded as bad compared to last year/late 2022, or I don't think I am at least. Banning IPs that appear to be spamming `connect()` helps a bit. Also banning malformed tcp segments also helps a bit (think impossible combinations of TCP flags for example).

ยทยทยท

On 5/16/2024 2:39 PM, koizoi via tor-relays wrote:

For several weeks now, users have been complaining (see https://www.reddit.com/r/TOR/comments/1cnmsdz/tor_extremely_slow_lately/, Is there currently a major DDOS affecting the network's availability?, etc) about degraded performance (slow speeds, timeouts) when using Tor, both to access v3 onion sites and clearnet websites. In my personal experience, most v3 onion services are responding so slowly that they're completely unusable.

it turns out that's it not just people's imaginations, looking at charts on metrics.torproject.org, it can be seen that the time to complete a 5MiB request over Tor has increased substantially (https://ibb.co/tp1CHdh). All of this is very reminiscent of the large scale DDoS that affected Tor relay nodes in 2022-2023.

Tor relay operators have reported "attacks" on their relays, but there haven't been many details about what kind of attacks are taking place, other than some people saying that they have been TCP SYN flooded. But (to me, anyway) SYN flooding doesn't really make a lot of sense as there are so many Tor relay nodes that would need to be attacked, (and misconfigured to allow a SYN flood attack to work), and even if it were a SYN flood, that would cause different behavior than what users have been seeing (preventing connections to the Tor network rather than slowing them down).

I understand that DDoS attacks on the Tor network might be kind of a touchy subject, but it would be good if we could get some information from the project leadership as to what's going on, what is being done about it, and what Tor relay operators can do to help prevent attacks like these from happening.

Thanks

Sent with Proton Mail <https://proton.me/&gt; secure email.

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page