Opened 15 months ago

Closed 4 months ago

#19740 closed defect (worksforme)

(new ?) efficient attack against an exit relay

Reported by: toralf Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.8.5-rc
Severity: Normal Keywords: tor-relay needs-diagnosis maybe-dos too-little-info
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Today I was faced by an DDoS attack which looks different from all the ones I observed in former times.

Former attacks shows a characteristic where the malicious IN traffic was just on top of the usual network load (as seen in https://www.zwiebeltoralf.de/torserver/graph.png).
The attack today looks like that the IN traffic supersedes the usual network load completely (https://www.zwiebeltoralf.de/torserver/graph.svg).

The system is a stable hardened Gentoo Linux with latest kernel.

Child Tickets

Change History (4)

comment:1 Changed 15 months ago by toralf

Summary: (new ?) efficient atatcka gainst an exit relay(new ?) efficient attack against an exit relay

comment:2 Changed 15 months ago by toralf

B/c an iptables counter rule showed over 145 millions connections to port 80 I added 2 rules to iptables :

  #  Tor
  #
  # limit max. number per second
  $IPT -A INPUT -p tcp --destination-port 80 --syn --match connlimit --connlimit-above 1000 -j DROP
  # limit max. number per IP address
  $IPT -A INPUT -p tcp --destination-port 80 --syn --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
Last edited 15 months ago by toralf (previous) (diff)

comment:3 Changed 8 months ago by nickm

Milestone: Tor: unspecified
Status: newneeds_information

comment:4 Changed 4 months ago by nickm

Keywords: tor-relay needs-diagnosis maybe-dos too-little-info added
Resolution: worksforme
Status: needs_informationclosed

Closing as worksforme because there just isn't enough info here to figure out what's going on. But please reopen if you don't agree.

Note: See TracTickets for help on using tickets.