Opened 11 months ago

Last modified 4 months ago

#19740 needs_information defect

(new ?) efficient attack against an exit relay

Reported by: toralf Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.8.5-rc
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Today I was faced by an DDoS attack which looks different from all the ones I observed in former times.

Former attacks shows a characteristic where the malicious IN traffic was just on top of the usual network load (as seen in https://www.zwiebeltoralf.de/torserver/graph.png).
The attack today looks like that the IN traffic supersedes the usual network load completely (https://www.zwiebeltoralf.de/torserver/graph.svg).

The system is a stable hardened Gentoo Linux with latest kernel.

Child Tickets

Change History (3)

comment:1 Changed 11 months ago by toralf

  • Summary changed from (new ?) efficient atatcka gainst an exit relay to (new ?) efficient attack against an exit relay

comment:2 Changed 11 months ago by toralf

B/c an iptables counter rule showed over 145 millions connections to port 80 I added 2 rules to iptables :

  #  Tor
  #
  # limit max. number per second
  $IPT -A INPUT -p tcp --destination-port 80 --syn --match connlimit --connlimit-above 1000 -j DROP
  # limit max. number per IP address
  $IPT -A INPUT -p tcp --destination-port 80 --syn --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
Last edited 11 months ago by toralf (previous) (diff)

comment:3 Changed 4 months ago by nickm

  • Milestone set to Tor: unspecified
  • Status changed from new to needs_information
Note: See TracTickets for help on using tickets.