I've noticed a new kind of possible attack on some of my relays, as
early as Dec.23 which causes huge spikes of outbound traffic that
eventually maxes out RAM and crashes Tor. The newest one today lasted
for 5 hours switching between two of the three relays on the same IP.
During the attack, Tor becomes so busy processing the traffic that it
becomes unresponsive to new connections for minutes at a time and
effectively becomes a zombie exclusively processing the attacker's
traffic until it eventually crashes and restarts. The interesting part
is that when Tor restarts, it doesn't start from scratch building new
circuits but it starts right from where it left out and keeps processing
the previous connections.
I have tried shutting down Tor for over 5 minutes and within one minute
of restart, The RAM maxes out and the outbound traffic reaches the
This has been happening, not to all relays but to a select group of
relays at a time and unless you're monitoring your Tor port from
outside, you may not notice it's unresponsive. Another way to see if
it's happening to you too is to check your monthly history on the
metrics page and look for spikes of written bytes or sudden decrease of
read bytes where you see a big gap between the two.
I have included charts and excerpts from the log in my post in Tor forum
at below link: