I’ve been noticing something for days now : A couple of my relays have developed a trend of consistently writing more bytes than read. And a third one, spiked briefly its written bytes a lot, 2 days back.
I’ve seen this a few times myself, in which case it was a DoS attack on my relays. In my case I noticed it due to extreme cpu usage that generated alerts which broke my DNS which in turn rendered my relays bad. Not saying this is the same thing, just what I’ve seen. I never found the root cause and implemented a symptomatic fix which rebooted DNS service when I detected a DoS automatically - which worked fine.
This seems to be the consensus. I find it intriguing that it manifests as increased bytes written, and that this value shows up in Tor stats. This suggests a malicious tor relay/client rather than typical external DDoS. Internal abuse of directory traffic seems a plausible vector, but this seems to me to be eminently filterable.
Are any of the DoS mitigation values showing activity in your logs when this happens?
When you run nyx, do you see a significant imbalance between incoming and outgoing connection counts?
This happened to me on my first relay startup almost from the instant I turned it on and lasted three days. I had no idea what was normal then, so I didn’t do any diagnosis.
For my relay that had a big spike in written bytes, looking more carefully at the logs, i observed a ~6000 rejected circuits uptake , in that 24hr. period.
Not alarming, but “something” was going on. In the day-to-day routine of my relays, for that amount in 24hrs. , to make it through Enkidu’s fw rules only to be rejected eventually by the application, it must have been under some small form of attack.
Nothing that the application couldnt handle though, and things have since calmed down.
Now as for the ratio of incoming-to-outgoing connections i observe in my relays : Incoming connections are much more.
But i dont think thats wrong.
Here’s the triple kicker : If they were harmful connections, first they would get the boot from the firewall.
If by some miracle, they all made it through the firewall, the relays would have gone completely ballistic on their mitigation counters; they’re not, so they’re legit.
And last, right now as it stands, from what i understand, my relays are “between places” : They are “seen” both as Guard and Middle, “in practice”. As more time passes and they keep amounting uptime, they will rotate more and more as Guards.
