[tor-relays] A new kind of attack?

I've noticed a new kind of possible attack on some of my relays, as
early as Dec.23 which causes huge spikes of outbound traffic that
eventually maxes out RAM and crashes Tor. The newest one today lasted
for 5 hours switching between two of the three relays on the same IP.

During the attack, Tor becomes so busy processing the traffic that it
becomes unresponsive to new connections for minutes at a time and
effectively becomes a zombie exclusively processing the attacker's
traffic until it eventually crashes and restarts. The interesting part
is that when Tor restarts, it doesn't start from scratch building new
circuits but it starts right from where it left out and keeps processing
the previous connections.

I have tried shutting down Tor for over 5 minutes and within one minute
of restart, The RAM maxes out and the outbound traffic reaches the
previous heights.

This has been happening, not to all relays but to a select group of
relays at a time and unless you're monitoring your Tor port from
outside, you may not notice it's unresponsive. Another way to see if
it's happening to you too is to check your monthly history on the
metrics page and look for spikes of written bytes or sudden decrease of
read bytes where you see a big gap between the two.

I have included charts and excerpts from the log in my post in Tor forum
at below link:

I'd appreciate your insights and comments.

Thank you.

···

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like

This seems to be related to what we already had in September:

It is always only intermittent and only some off my relays are affected.

···

On Montag, 15. Januar 2024 23:19:37 CET Chris Enkidu-6 wrote:

I've noticed a new kind of possible attack on some of my relays, as
early as Dec.23 which causes huge spikes of outbound traffic

I have included charts and excerpts from the log in my post in Tor forum
at below link:

New kind of attack?

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

Hi,

I just received a DDOS attack on a pretty settled exit relay.
Who DDOS a Exit relay but the state or victim of it potential abuses?

Here the relay is in India.

Thank you for sharing this observation.
I firmly believe in the similar situation applying.

···

On 16.01.2024 15:29, lists@for-privacy.net wrote:

On Montag, 15. Januar 2024 23:19:37 CET Chris Enkidu-6 wrote:

I've noticed a new kind of possible attack on some of my relays, as
early as Dec.23 which causes huge spikes of outbound traffic

I have included charts and excerpts from the log in my post in Tor forum
at below link:

New kind of attack?

This seems to be related to what we already had in September:
Excessive / Unbalanced Relay Traffic

It is always only intermittent and only some off my relays are affected.
Excessive / Unbalanced Relay Traffic - #8 by boldsuck

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Surgeprotector is very helpful for exits

Tor-nightly 0.4.9.0-alpha-dev fixed

by trinity

ReevaluateExitPolicy 1

···

On Donnerstag, 18. Januar 2024 19:37:22 CET eff_03675549@posteo.se wrote:

I just received a DDOS attack on a pretty settled exit relay.

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

Hi.

I am trying several Singapoor relays stuck at 100% bootstrapped
without any coming speed evaluation nor id key attributions,

8B6A6D02A80A7CBB1ED0630150D8D9F9F7D471AF

one middle/guard out of 4/5 came out witn keys an shows in relay
search still without any speed attribution now over 48 hours,
the others (guards, exit) are tusk at 100% bootstrapped.

all in singapoor.

Your kind evaluation please.

an.

···

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays