Ubuntu 22.04/Tor 0.4.8.19
Late last night my tor socks proxy started throwing lots of compression bomb logs. This is the first few:
Nov 4 00:51:35 hostname Tor[1991636]: Detected possible compression bomb with input size = 29631 and output size = 740974 (compression fact
or = 25.01)
Nov 4 00:51:35 hostname Tor[1991636]: Possible compression bomb; abandoning stream.
Nov 4 00:51:36 hostname Tor[1991636]: Detected possible compression bomb with input size = 19858 and output size = 650368 (compression fact
or = 32.75)
Nov 4 00:51:36 hostname Tor[1991636]: Possible compression bomb; abandoning stream.
Nov 4 00:51:36 hostname Tor[1991636]: Detected possible compression bomb with input size = 21721 and output size = 721760 (compression fact
or = 33.23)
Nov 4 00:51:36 hostname Tor[1991636]: Possible compression bomb; abandoning stream.
All Tor checks with curl fail:
/usr/bin/curl -x socks5h://127.0.0.1:9050 -s https://check.torproject.org/api/ip
Tor status looks fine:
[hostname:~]$ sudo systemctl status tor
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/lib/systemd/system/tor.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2025-11-04 09:45:23 EST; 1min 44s ago
Process: 3656 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 3656 (code=exited, status=0/SUCCESS)
CPU: 2ms
Nov 04 09:45:23 hostname systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)…
Nov 04 09:45:23 hostname systemd[1]: Finished Anonymizing overlay network for TCP (multi-instance-master).
Startup logs look like this:
Nov 4 10:20:51 hostname tor[6117]: Nov 04 10:20:51.470 [notice] Tor 0.4.8.19 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.2, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.35 as libc.
Nov 4 10:20:51 hostname tor[6117]: Nov 04 10:20:51.470 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Nov 4 10:20:51 hostname Tor[6117]: We compiled with OpenSSL 30000020: OpenSSL 3.0.2 15 Mar 2022 and we are running with OpenSSL 30000020: 3.0.2. These two versions should be binary compatible.
Nov 4 10:20:51 hostname Tor[6117]: Tor 0.4.8.19 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.2, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.35 as libc.
Nov 4 10:20:51 hostname Tor[6117]: Tor can’t help you if you use it wrong! Learn how to be safe at Tor Browser best practices - Security - Tor Browser — Tor
Nov 4 10:20:51 hostname Tor[6117]: Read configuration file “/usr/share/tor/tor-service-defaults-torrc”.
Nov 4 10:20:51 hostname Tor[6117]: Read configuration file “/etc/tor/torrc”.
Nov 4 10:20:51 hostname Tor[6117]: Opening Socks listener on 127.0.0.1:9050
Nov 4 10:20:51 hostname Tor[6117]: Opened Socks listener connection (ready) on 127.0.0.1:9050
Nov 4 10:20:51 hostname Tor[6117]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Nov 4 10:20:51 hostname Tor[6117]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Nov 4 10:20:52 hostname Tor[6117]: Set list of supported TLS groups to: P-256:X25519:P-224
Nov 4 10:20:52 hostname Tor[6117]: Bootstrapped 0% (starting): Starting
Nov 4 10:20:53 hostname Tor[6117]: Starting with guard context “default”
Nov 4 10:20:53 hostname Tor[6117]: Our directory information is no longer up-to-date enough to build circuits: We’re missing descriptors for 1/3 of our primary entry guards (total microdescriptors: 8864/9173). That’s ok. We will try to fetch missing descriptors soon.
Nov 4 10:20:53 hostname Tor[6117]: Signaled readiness to systemd
Nov 4 10:20:53 hostname Tor[6117]: Bootstrapped 5% (conn): Connecting to a relay
Nov 4 10:20:53 hostname Tor[6117]: Bootstrapped 10% (conn_done): Connected to a relay
Nov 4 10:20:54 hostname Tor[6117]: Bootstrapped 14% (handshake): Handshaking with a relay
Nov 4 10:20:54 hostname Tor[6117]: Bootstrapped 15% (handshake_done): Handshake with a relay done
Nov 4 10:20:54 hostname Tor[6117]: Bootstrapped 75% (enough_dirinfo): Loaded enough directory info to build circuits
Nov 4 10:20:54 hostname Tor[6117]: Opening Socks listener on /run/tor/socks
Nov 4 10:20:54 hostname Tor[6117]: Opened Socks listener connection (ready) on /run/tor/socks
Nov 4 10:20:54 hostname Tor[6117]: Opening Control listener on /run/tor/control
Nov 4 10:20:54 hostname Tor[6117]: Opened Control listener connection (ready) on /run/tor/control
Followed by the compression bomb logs
I run the above curl command every 5 minutes, which alerts me if this host is not on tor. The first one showed up around 01:17, a few logs prior to this one was this:
Nov 4 01:17:01 hostname Tor[1991636]: Tried for 120 seconds to get a connection to [scrubbed]:443. Giving up. (waiting for circuit)
Turns out that was the first one and the rest of today’s syslog is full of these Giving up logs.
Any ideas on how to fix this would be most welcome.