Two WARN log records

agomla · May 15, 2023, 9:46am

Hello, any idea of this records on different machines today 15/05/23 at 6AM CET?

TOR RELAY 1
│ 06:14:26 [WARN] Possible compression bomb; abandoning stream. [1 duplicate hidden]
│ 06:14:25 [WARN] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 171.25.193.9:443).

TOR RELAY 2
│ 06:06:53 [WARN] Possible compression bomb; abandoning stream. [1 duplicate hidden]
│ 06:06:53 [WARN] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 86.59.21.38:80).

Thanks a lot

Vort · May 15, 2023, 12:12pm

Same message for my node:

May 15 07:07:54.000 [warn] Possible compression bomb; abandoning stream.
May 15 07:07:54.000 [warn] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 204.13.164.118:80).

I searched my log and found that such problem also happened earlier:
Jan 13 14:26:00.000, Oct 06 03:25:05.000.
Looks like rare bug.

Im-CatDev · November 11, 2023, 9:59am

Looks like someone tried to crash your relay

nemobis · October 13, 2024, 12:23pm

I’ve been seeing these every ten seconds yesterday and the day before. I noticed because of the constantly high CPU usage. I’m not even running a relay.

Example log snippet just after a restart:

Oct 12 06:11:28  Tor[346579]: Detected possible compression bomb with input size = 26270 and output size = 736917
Oct 12 06:11:28  Tor[346579]: Possible compression bomb; abandoning stream.
Oct 12 06:11:28  Tor[346579]: Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 51.210.179.144:9000).
Oct 12 06:11:28  Tor[346579]: We now have enough directory information to build circuits.
Oct 12 09:40:45  Tor[346579]: Application request when we haven't used client functionality lately. Optimistically trying directory fetches again.

Going on for a while:

Oct 12 06:11:28 Tor[346579]: Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 51.210.179.144:9000).
Oct 12 09:52:24 Tor[1188101]: Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 51.210.179.144:9000).
Oct 12 09:57:01 Tor[1189677]: Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 46.29.235.79:9001).
Oct 12 11:54:39 Tor[1226420]: Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 46.29.235.79:9001).
Oct 12 12:55:14 Tor[1231230]: Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 46.29.235.79:9001).
Oct 12 13:11:29 Tor[3982]: Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 144.21.52.220:9282).
Oct 12 14:11:37 Tor[3982]: Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 51.210.179.144:9000). [949 similar message(s) suppressed in last 3660 seconds]

Those IP addresses are the same as

GanduVisionary2
prsv
[hexmcRelay2](metrics torproject org/rs.html#details/9258DEA6F474C1530802360514FEC1F6E2DAA191)

I see two of these were restarted 6 hours ago. I’m not seeing the error any more.

I have:

Tor version 0.4.8.12.
This build of Tor is covered by the GNU General Public License (www.gnu org/licenses/gpl-3.0.en.html)
Tor is running on Linux with Libevent 2.1.12-stable, OpenSSL 3.2.2, Zlib 1.3.1.zlib-ng, Liblzma 5.4.6, Libzstd 1.5.6 and Glibc 2.39 as libc.
Tor compiled with GCC version 14.2.1

Vort · October 13, 2024, 12:41pm

I see similar messages as well on my relay (0.4.8.9):

Oct 09 09:04:51.000 [warn] Detected possible compression bomb with input size = 17551 and output size = 458599
Oct 09 09:04:51.000 [warn] Possible compression bomb; abandoning stream.
Oct 09 09:04:51.000 [warn] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 193.23.244.244:80).
Oct 12 06:03:04.000 [warn] Detected possible compression bomb with input size = 21984 and output size = 581666
Oct 12 06:03:04.000 [warn] Possible compression bomb; abandoning stream.
Oct 12 06:03:04.000 [warn] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 131.188.40.189:80).
Oct 12 09:12:07.000 [warn] Detected possible compression bomb with input size = 24571 and output size = 777070
Oct 12 09:12:07.000 [warn] Possible compression bomb; abandoning stream.
Oct 12 09:12:07.000 [warn] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 171.25.193.9:443).
Oct 12 09:13:06.000 [warn] Detected possible compression bomb with input size = 23387 and output size = 746494
Oct 12 09:13:06.000 [warn] Possible compression bomb; abandoning stream.
Oct 12 09:13:06.000 [warn] Detected possible compression bomb with input size = 24571 and output size = 777070
Oct 12 09:13:06.000 [warn] Possible compression bomb; abandoning stream.
Oct 12 09:14:06.000 [warn] Detected possible compression bomb with input size = 23387 and output size = 746494
Oct 12 09:14:06.000 [warn] Possible compression bomb; abandoning stream.
Oct 12 09:14:06.000 [warn] Detected possible compression bomb with input size = 24571 and output size = 777070
Oct 12 09:14:06.000 [warn] Possible compression bomb; abandoning stream.
Oct 12 09:14:07.000 [warn] Detected possible compression bomb with input size = 19402 and output size = 531500
Oct 12 09:14:07.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:11:26.000 [warn] Detected possible compression bomb with input size = 26394 and output size = 803550
Oct 13 02:11:26.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:11:26.000 [warn] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 45.66.35.11:80). [5 similar message(s) suppressed in last 61140 seconds]
Oct 13 02:11:26.000 [warn] Detected possible compression bomb with input size = 26841 and output size = 762873
Oct 13 02:11:26.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:11:27.000 [warn] Detected possible compression bomb with input size = 23820 and output size = 762336
Oct 13 02:11:27.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:12:25.000 [warn] Detected possible compression bomb with input size = 26394 and output size = 803550
Oct 13 02:12:25.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:12:25.000 [warn] Detected possible compression bomb with input size = 26841 and output size = 762873
Oct 13 02:12:25.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:13:25.000 [warn] Detected possible compression bomb with input size = 23820 and output size = 762336
Oct 13 02:13:25.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:13:25.000 [warn] Detected possible compression bomb with input size = 26841 and output size = 762873
Oct 13 02:13:25.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:14:25.000 [warn] Detected possible compression bomb with input size = 26394 and output size = 803550
Oct 13 02:14:25.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:14:26.000 [warn] Detected possible compression bomb with input size = 12978 and output size = 342848
Oct 13 02:14:26.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 02:14:26.000 [warn] Detected possible compression bomb with input size = 13134 and output size = 342848
Oct 13 02:14:26.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 08:05:30.000 [warn] Detected possible compression bomb with input size = 20103 and output size = 525490
Oct 13 08:05:30.000 [warn] Possible compression bomb; abandoning stream.
Oct 13 08:05:30.000 [warn] Unable to decompress HTTP body (tried Zstandard compressed, on Directory connection (client reading) with 45.66.35.11:80). [9 similar message(s) suppressed in last 21300 seconds]
Oct 13 08:05:31.000 [warn] Detected possible compression bomb with input size = 18480 and output size = 544922
Oct 13 08:05:31.000 [warn] Possible compression bomb; abandoning stream.

Arte · October 13, 2024, 2:58pm

simply put, BAD actors.

i’m seeing these too from time to time.
my guess is when DDoS doesn’t work because they dont reach the application layer, they resort to such stuff, joke’s on them though

excurso · October 13, 2024, 6:13pm

It works if they find the right approach.

What I have observed on a bridge after it had an unusually high amount of connections, is that after few days the memory usage of the bridge has increased to 5 GB.
This way they can take down your machine.

So have an eye on it

Vort · October 13, 2024, 6:13pm

I don’t think so (at least for my case).
193.23.244.244 for example is dannenberg.
I doubt response from it was modified by attackers.

Arte · October 13, 2024, 7:04pm

hmmm thanks for the heads up

so far have never noticed something like that happening.

Arte · October 13, 2024, 7:04pm

then i’m -obviously- missing something. but i dont understand why a DirAuth would send packets and behave in a way that would automatically trigger a self-defense mechanism in a relay.