Dear tor team,
We have setup a discussion board, on the tor network.
And there is someone that is exploiting within our servers, by taking it down it every time and the forums will respond with "Server not found".
We are pretty sure this problem is on the side of the TOR browser, is there anything we could do to sort this?
With many thanks for taking time into reading this.
Trac: Username: pidgin
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Child items ...
Show closed items
Linked items 0
Link issues together to show that they're related.
Learn more.
Setting Trac component (someone please reset it if it is incorrect).
I don't understand the comment "We are pretty sure this problem is on the side of the TOR browser" since this sounds to me like a tor server-side issue. It is also unclear if this is a bug report or a support request.
Setting Trac component (someone please reset it if it is incorrect).
I don't understand the comment "We are pretty sure this problem is on the side of the TOR browser" since this sounds to me like a tor server-side issue. It is also unclear if this is a bug report or a support request.
My apologizes if it's not on TOR side, i am not here to discuss whether it is or not.
Just trying to sort this problem out, so people won't have to deal with the problem in the future.
And thank you for linking me the irc "I could not use the IRC through TOR, so i will leave this ticket open".
Closed #29610 (moved) as a duplicate here. What is causing you to conclude that this is an attack against Tor, instead of (say) an attack against some other component? Right now, there's not enough information in your report(s) to tell.
the service behind onion HiddenService is fine, it is serving requests.
before the DDOS there have not been "Server Not Found".
Actually it was the hackers third iteration.
First step from hacker was brute force DDOS which made tor cpu load 100%. countermeasure: vanguards and using ExcludeNodes (torrc)
Second iteration from hacker was to use random nodes, about 1000+, to do tor cpu load 100%. countermeasure: vanguards / onionbalance.
now tor browser gives "server not found", countermeasure not found yet
#29637 (moved) contains the same information from the user, and this response from me:
The attack probably isn't on the Tor client. It's more likely it's on the service, HSDir or Intro Points. It may be on the service's Guard or Rendezvous Point, but they're harder to find and target.
Have you tried v3 onion services?
They are much more resistant to attacks.
There is no OnionBalance for v3 yet, but the v3 crypto is more efficient, so you might not need it.
Are you sure that your service is still running ok?
Your service might be serving a small amount of traffic, and blocked on network requests. So its CPU would be low, and most clients would not be able to connect.
Trac: Summary: Need urgent help! to Denial of service on v2 onion service
We might need a log file (preferably info/debug level) to get deeper into this. Please make sure you don't reveal any sensitive info (e.g. guard names) through the log file.
Otherwise, do you see any warn logs, or any weird stuff on the info/debug severity that you can point out?
We might need a log file (preferably info/debug level) to get deeper into this. Please make sure you don't reveal any sensitive info (e.g. guard names) through the log file.
Otherwise, do you see any warn logs, or any weird stuff on the info/debug severity that you can point out?
here is the log from the onion v3 service, a debug/info log follows soon :
-scrubbed-:42:47.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 2332.000000ms
-scrubbed-:42:47.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 2332.000000ms
-scrubbed-:42:47.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 2332.000000ms
-scrubbed-:42:47.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 2332.000000ms
-scrubbed-:42:47.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 2332.000000ms
-scrubbed-:42:47.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 2332.000000ms
-scrubbed-:42:47.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 2332.000000ms
-scrubbed-:42:47.000 [warn] No valid circuit build time data out of 1000 times, 3 modes, have_timeout=1, 2332.000000ms
-scrubbed-:42:48.000 [warn] circuit_build_times_update_alpha(): Bug: Could not determine largest build time (0). Xm is 3125ms and we've abandoned 999 out of 1000 circuits. (on Tor 0.4.0.1-alpha 81f1b89efc94723f)
-scrubbed-:42:48.000 [warn] circuit_build_times_update_alpha(): Bug: Could not determine largest build time (0). Xm is 3125ms and we've abandoned 998 out of 1000 circuits. (on Tor 0.4.0.1-alpha 81f1b89efc94723f)
-scrubbed-:42:50.000 [warn] Failed to find node for hop #1 of our path. Discarding this circuit.
-scrubbed-:42:50.000 [warn] Giving up on launching a rendezvous circuit to [scrubbed] for hidden service [scrubbed]
-scrubbed-:42:52.000 [notice] Your network connection speed appears to have changed. Resetting timeout to 60s after 18 timeouts and 1000 buildtimes.
-scrubbed-:45:30.000 [warn] Failed to find node for hop #1 of our path. Discarding this circuit.
-scrubbed-:45:30.000 [warn] Giving up on launching a rendezvous circuit to [scrubbed] for hidden service [scrubbed]
-scrubbed-:46:40.000 [warn] Failed to find node for hop #1 of our path. Discarding this circuit.
-scrubbed-:46:40.000 [warn] Giving up on launching a rendezvous circuit to [scrubbed] for hidden service [scrubbed]
-scrubbed-:47:25.000 [warn] Failed to find node for hop #1 of our path. Discarding this circuit.
-scrubbed-:47:25.000 [warn] Giving up on launching a rendezvous circuit to [scrubbed] for hidden service [scrubbed]
-scrubbed-:47:27.000 [notice] Your network connection speed appears to have changed. Resetting timeout to 60s after 18 timeouts and 131 buildtimes.
-scrubbed-:47:27.000 [notice] Your network connection speed appears to have changed. Resetting timeout to 120s after 18 timeouts and 0 buildtimes.
-scrubbed-:48:47.000 [warn] Failed to find node for hop #1 of our path. Discarding this circuit.
-scrubbed-:48:47.000 [warn] Failed to launch rendezvous circuit to [scrubbed]
-scrubbed-:50:34.000 [warn] Failed to find node for hop #1 of our path. Discarding this circuit.
-scrubbed-:50:34.000 [warn] Giving up on launching a rendezvous circuit to [scrubbed] for hidden service [scrubbed]
We'll need to fix #25461 (moved), or confirm that you're not using an affected version, before we can isolate this bug,
How do you know there is an attacker, rather than just lots of clients using your service?
the attacker contacted us for extortion. The attacker turned the DDOS off and on, he informed us about times.
cpu loads matches times. cpu load is at all instances at 100% at attack. if DDOS not taking place, all tor processes are at 10% max (average far less)
Hm, those logs are OK but not useful enough unfortunately.
The only interesting thing is that your circuit build times are big (like 22.9 seconds for a single circuit):
circuit_build_times_add_time(): Adding circuit build time 22290
Not much I can get from it. You also seem to have borked the logs in the end since rend_service_rendezvous_has_opened() appears twice with duplicated stuff around it.
I think ideally we would need a log over a greater period of time (like 3-5 mins) to see what the attacker does over time. Perhaps the way to do it is to only gather info logs (I don't think we need debugs), and compress it before attaching it here. Otherwise, send it to us in a personal email.
-scrubbed-:47:25.000 [warn] Failed to find node for hop #1 of our path. Discarding this circuit.
This looks like an instance of #28962 (moved), where Tor fails guards based on the absolute number of failures of each guard, rather than checking if the guard is (much) worse than the average number of failures.
We might end up fixing #28862 (moved) as part of this ticket, or as part of our IPv6 work.
The v3 service doesn't have the guard issue, it's getting much further along. Have you tried running it on a separate machine? (Or by itself without v2 running on the same machine?)
Here's another interesting log:
{{{
-scrubbed-:47:25.000 [warn] Failed to find node for hop #1 of our path. Discarding this circuit.
}}}
This looks like an instance of #28962 (moved), where Tor fails guards based on the absolute number of failures of each guard, rather than checking if the guard is (much) worse than the average number of failures.
We might end up fixing #28862 (moved) as part of this ticket, or as part of our IPv6 work.
Hi Teor, what is the e-mail i can mail it to ? Also do you have a public pgp i can import? so i can send it in PGP format ?
The v3 service doesn't have the guard issue, it's getting much further along. Have you tried running it on a separate machine? (Or by itself without v2 running on the same machine?)
I looked at the logs but nothing jumped out at me as super weird. There is obviously lots of activity on the HS, but doesn't seem like something that would 100% CPU your Tor (you are receiving a rendezvous request every two seconds). There is probably something else going on that I couldn't see from that first look.
The v3 service doesn't have the guard issue, it's getting much further along. Have you tried running it on a separate machine? (Or by itself without v2 running on the same machine?)
The v3 service doesn't have the guard issue, it's getting much further along. Have you tried running it on a separate machine? (Or by itself without v2 running on the same machine?)
there is enough cpu and bandwidth
Tor also uses many other resources that can become exhausted, like sockets, memory, and various kernel data structures.
Can you please test the v3 service on a machine by itself?
Closed #29919 (moved) as a duplicate for this one. More info over there.
Hi asn,
Understandable why you closed my ticket, at a point of desperation and just hoping someone will take real interest in looking into this. Which is why I am able to offer access to a server that is currently being attacked. I believe I saw a chat log of you first discussing complex mode in 2015 for OnionBalance. Do you have any links for how to enable it/configure it? I am going to try it out to see if it is a resolution for this, with the theory of introduction points being attacked.
Closed #29919 (moved) as a duplicate for this one. More info over there.
Hi asn,
Understandable why you closed my ticket, at a point of desperation and just hoping someone will take real interest in looking into this. Which is why I am able to offer access to a server that is currently being attacked. I believe I saw a chat log of you first discussing complex mode in 2015 for OnionBalance. Do you have any links for how to enable it/configure it? I am going to try it out to see if it is a resolution for this, with the theory of introduction points being attacked.
Thank you.
Hey, I just remembered that complex mode was never implemented for onionbalance, because it was harder to implement and we thought there was no real use for it.
I'm not currently interested (or have the time) to get access to a server that is under attack.
I think the most useful thing right now would be to have more logs that display the attack. I want debug or info logs that last for 1-2 hours of the attack and display the whole Tor lifetime (from startup to shutdown). Please sanitize them correctly (make sure that guard names and onion names are not visible).
Same for vanguard logs on debug or info if you use vanguards.
Closed #29919 (moved) as a duplicate for this one. More info over there.
Hi asn,
Understandable why you closed my ticket, at a point of desperation and just hoping someone will take real interest in looking into this. Which is why I am able to offer access to a server that is currently being attacked. I believe I saw a chat log of you first discussing complex mode in 2015 for OnionBalance. Do you have any links for how to enable it/configure it? I am going to try it out to see if it is a resolution for this, with the theory of introduction points being attacked.
Thank you.
Hey, I just remembered that complex mode was never implemented for onionbalance, because it was harder to implement and we thought there was no real use for it.
I'm not currently interested (or have the time) to get access to a server that is under attack.
I think the most useful thing right now would be to have more logs that display the attack. I want debug or info logs that last for 1-2 hours of the attack and display the whole Tor lifetime (from startup to shutdown). Please sanitize them correctly (make sure that guard names and onion names are not visible).
Same for vanguard logs on debug or info if you use vanguards.
I will provide you with any logs I can later today. Could you please send a full list of anything that could help in debugging just to make sure you have everything relevant? Thank you
Closed #29919 (moved) as a duplicate for this one. More info over there.
Hi asn,
Understandable why you closed my ticket, at a point of desperation and just hoping someone will take real interest in looking into this. Which is why I am able to offer access to a server that is currently being attacked. I believe I saw a chat log of you first discussing complex mode in 2015 for OnionBalance. Do you have any links for how to enable it/configure it? I am going to try it out to see if it is a resolution for this, with the theory of introduction points being attacked.
Thank you.
Hey, I just remembered that complex mode was never implemented for onionbalance, because it was harder to implement and we thought there was no real use for it.
I'm not currently interested (or have the time) to get access to a server that is under attack.
I think the most useful thing right now would be to have more logs that display the attack. I want debug or info logs that last for 1-2 hours of the attack and display the whole Tor lifetime (from startup to shutdown). Please sanitize them correctly (make sure that guard names and onion names are not visible).
Same for vanguard logs on debug or info if you use vanguards.
I will provide you with any logs I can later today. Could you please send a full list of anything that could help in debugging just to make sure you have everything relevant? Thank you
Hm. It would be great if we could have all debug logs from Tor startup to Tor shutdown. Please scrub the names of your primary guards and your onion address and anything else that might seem pervasive, but please try to not destroy the accuracy of the logs (by double-pasting or removing surrounding lines).
Another thing that might be helpful would be to try with a blank state file so that Tor discards any previous circuit timeouts and performance measurements etc. (you can find the state file in your data directory. please don't delete it, just backup it somewhere else so that you can then restore it).
Also, it would be better to not use vanguards while you are collecting these logs because it's hard to keep track of what they are doing while reading the logs.
Problem is still not solved, still the same error.
I have provided everything i could to you guys i have no clue what to do else.
I found a complete solution but it needs more work to be reliable enough. Get in touch with me via your onion.
Will provide the solution here also but it is a novel method of identifying offending connections so they can then be dropped, which would likely not be implemented into core tor.