Too many connections (DDoS 2022.07.02)

Hello.
Something strange happened today - thousands of new connections started to appear.
Looks like they were coming from Hetzner hosting (static.[IP].clients.your-server.de addresses).
Usually my relay have ~8k connections, but today in two hours count was raised up to 18k.
Also something went wrong with it, this line appeared in logs: Jul 02 01:38:04.000 [warn] Failing because we have 14967 connections already. Please read doc/TUNING for guidance.
I know that Tor have anti-DDoS protection built in, but in this case it allowed tens of connections per single IP. Maybe recent changes in code added some regressions? I use now latest version, 0.4.7.8.
For now I just banned them, but attack may be repeated from different addresses.
What can community suggest in such case? Should this be addressed in Tor code or should be dealt by myself?

2 Likes

Yes after the traffic DDOS we now have the connections DDOS … but tor is doing its job and blocking them if you have enabled statistics you should see this on the logs :

[notice] Heartbeat: DoS mitigation since startup: 56 circuits killed with too many cells, 48750193 circuits rejected, 579 marked addresses, **7392336** same address concurrent connections rejected, 0 connections rejected, 0 single hop clients refused, 3199396 INTRODUCE2 rejected.

It’s the authorities I think who decides the knobs behind these DDOS counter-measures so unless your server is crashing I would not worry too much, mine went from 15k to 30k established and I see no impact on my relay

2 Likes

I suspect that something went wrong with such blocking:

Before attack:
Jul 01 18:40:30.000 [notice] Heartbeat: DoS mitigation since startup: 13 circuits killed with too many cells, 3208640 circuits rejected, 58 marked addresses, 0 same address concurrent connections rejected, 0 connections rejected, 3 single hop clients refused, 288364 INTRODUCE2 rejected.

After I manually blocked attacker addresses:
Jul 02 06:40:30.000 [notice] Heartbeat: DoS mitigation since startup: 14 circuits killed with too many cells, 3588720 circuits rejected, 61 marked addresses, 47 same address concurrent connections rejected, 0 connections rejected, 3 single hop clients refused, 288364 INTRODUCE2 rejected.

2 Likes

Hello,
I have currently the same issue as you, I have more than 15k connections inbound on my middle relay. I didn’t have the problem yesterday. Hopefully my router is strong enough to handle all those spam connections successfully.

I don’t see any solution at the moment…

3 Likes

Same here at one of my relays midnight till 17:00 p.m. - see screenshot uptimerobot

1 Like

Could we open abuse reports with Hetzner and tell them about the attacking IP addresses from their address space or is this deemed as bad relay practice?

1 Like

I was expected to see answer to such question in this topic.
Since developers did not reacted to this topic with such suggestion, I may conclude that it is not effective measure.
By the way, since 2022.07.15 it is not only Hetzner, who is hosting attackers - there are way more hosting providers used for attack - exactly as I was expecting in my 1st post (“attack may be repeated from different addresses”).
Here is my banlist in case someone needs it (100% accuracy is not guaranteed):

Banned addresses

107.191.46.39,107.191.47.85,107.191.62.29,108.61.177.33,116.202.102.177,116.202.16.44,116.203.188.152,135.181.104.67,135.181.110.171,135.181.158.173,135.181.194.229,135.181.195.206,135.181.200.83,135.181.204.132,135.181.204.52,135.181.205.105,135.181.206.106,135.181.206.64,135.181.206.71,135.181.207.118,135.181.250.11,135.181.251.109,135.181.88.137,136.244.117.207,138.201.188.178,138.201.91.180,140.82.53.206,140.82.54.199,142.132.174.151,142.132.229.116,142.132.229.13,142.132.229.72,142.132.229.9,142.132.232.149,142.132.235.217,142.132.238.106,15.207.105.254,157.90.16.121,157.90.16.139,157.90.16.168,157.90.18.13,157.90.18.236,157.90.18.27,157.90.18.68,157.90.21.17,157.90.21.96,157.90.22.143,157.90.22.83,157.90.23.188,157.90.24.122,157.90.24.56,157.90.24.75,157.90.26.241,157.90.26.37,157.90.26.49,157.90.29.115,157.90.29.130,157.90.29.244,157.90.30.136,157.90.31.240,157.90.31.85,159.69.107.129,159.69.207.117,159.69.5.108,159.69.87.169,161.97.131.95,161.97.80.115,162.55.180.169,162.55.38.209,162.55.40.232,162.55.51.218,164.68.96.220,167.235.224.179,167.235.226.64,167.235.227.252,167.235.228.50,167.235.230.106,167.235.232.35,167.235.232.49,167.235.233.99,167.235.234.249,167.235.238.165,167.235.239.142,167.235.243.74,167.235.245.174,167.235.51.100,167.235.51.184,167.235.64.150,167.235.68.169,167.235.68.17,167.235.68.63,167.235.69.124,167.235.69.134,168.119.161.151,168.119.162.168,168.119.164.29,168.119.164.82,168.119.166.199,168.119.167.117,168.119.168.212,168.119.168.89,168.119.170.106,168.119.170.34,168.119.170.76,168.119.171.204,168.119.171.238,168.119.172.11,168.119.173.196,168.119.173.205,168.119.173.233,168.119.174.1,168.119.176.107,168.119.177.235,168.119.179.233,168.119.180.175,168.119.240.137,168.119.240.89,168.119.241.109,168.119.241.124,168.119.241.13,168.119.241.152,168.119.241.211,168.119.241.28,168.119.241.6,168.119.241.62,168.119.242.107,168.119.242.69,168.119.243.126,168.119.243.131,168.119.243.138,168.119.243.59,168.119.243.64,168.119.244.130,168.119.244.171,168.119.244.179,168.119.244.215,168.119.244.236,168.119.244.253,168.119.244.28,168.119.245.206,168.119.245.53,168.119.245.88,168.119.246.182,168.119.246.229,168.119.246.243,168.119.247.0,168.119.247.1,168.119.247.17,168.119.248.17,168.119.248.32,168.119.249.199,168.119.249.214,168.119.250.90,168.119.251.131,168.119.251.52,168.119.252.45,168.119.252.64,168.119.252.93,168.119.254.10,168.119.254.195,168.119.254.23,168.119.254.41,168.119.255.106,168.119.255.110,168.119.255.254,169.57.134.59,169.57.134.60,169.62.141.14,169.62.174.109,173.212.211.137,173.249.4.9,188.34.160.17,188.34.160.172,188.34.160.192,188.34.160.200,188.34.160.203,188.34.160.212,188.34.160.7,188.34.161.137,188.34.161.151,188.34.161.210,188.34.161.219,188.34.161.254,188.34.161.31,188.34.161.34,188.34.161.9,188.34.162.102,188.34.162.164,188.34.162.170,188.34.162.207,188.34.162.209,188.34.162.232,188.34.162.5,188.34.163.142,188.34.163.153,188.34.163.177,188.34.163.181,188.34.163.194,188.34.163.45,188.34.164.131,188.34.164.167,188.34.165.127,188.34.165.150,188.34.165.158,188.34.165.166,188.34.165.174,188.34.165.242,188.34.165.37,188.34.165.43,188.34.166.102,188.34.166.105,188.34.166.107,188.34.166.125,188.34.166.143,188.34.166.2,188.34.166.247,188.34.166.54,188.34.167.110,188.34.167.137,188.34.167.168,188.34.167.170,188.34.167.3,188.34.167.33,188.34.167.57,188.34.167.67,188.34.167.76,188.34.167.80,188.34.167.9,188.34.188.47,192.161.48.58,195.201.143.182,195.201.23.202,195.201.234.157,195.201.40.180,195.201.40.195,195.201.41.184,195.201.41.253,195.201.42.196,195.201.42.52,195.201.43.168,199.247.13.202,199.247.8.119,207.180.255.28,209.250.232.206,209.250.233.68,217.69.2.2,23.88.126.88,23.88.98.99,23.88.99.196,3.226.72.198,3.236.141.88,3.236.229.233,3.238.182.177,3.239.88.38,3.80.6.223,34.204.194.91,38.242.143.87,38.242.143.89,38.242.143.93,38.242.143.94,38.242.143.95,38.242.143.96,38.242.217.141,38.242.219.117,38.242.219.118,38.242.219.119,44.197.198.13,45.32.155.50,45.32.158.46,45.63.115.234,45.76.129.80,45.77.112.228,45.77.136.233,49.12.105.29,49.12.194.2,5.161.106.107,5.161.108.97,5.161.111.117,5.161.120.97,5.161.128.161,5.161.128.174,5.161.129.141,5.161.129.16,5.161.130.14,5.161.130.15,5.161.130.157,5.161.130.170,5.161.130.60,5.161.131.128,5.161.132.46,5.161.134.65,5.161.136.111,5.161.136.202,5.161.136.8,5.161.137.148,5.161.137.205,5.161.137.227,5.161.137.67,5.161.138.11,5.161.138.136,5.161.138.215,5.161.139.166,5.161.139.170,5.161.139.45,5.161.141.6,5.161.142.207,5.161.143.106,5.161.44.30,5.161.47.25,5.161.65.101,5.161.98.204,62.171.156.182,62.171.174.2,65.108.150.191,65.108.150.30,65.108.154.195,65.108.154.240,65.108.154.44,65.108.208.175,65.108.236.24,65.108.240.161,65.108.240.222,65.108.242.104,65.108.247.157,65.108.253.26,65.108.253.96,65.108.58.37,65.108.81.84,65.108.92.46,65.109.0.110,65.109.0.68,65.109.1.121,65.109.1.148,65.109.10.199,65.109.11.181,65.109.11.183,65.109.12.0,65.109.12.123,65.109.12.249,65.109.12.62,65.109.12.75,65.109.13.147,65.109.15.241,65.109.15.71,65.109.15.84,65.109.3.212,65.109.3.59,65.109.3.72,65.109.4.173,65.109.5.121,65.109.5.198,65.109.6.124,65.109.6.145,65.109.6.218,65.109.6.36,65.109.6.78,65.109.7.133,65.109.7.235,65.109.8.108,65.2.36.55,67.228.80.154,70.34.246.14,70.34.250.101,70.34.251.113,70.34.255.17,78.141.216.234,78.46.126.64,78.46.160.60,78.46.164.159,78.46.187.18,78.46.196.219,78.46.200.240,78.46.233.193,78.46.233.90,78.46.239.161,78.46.242.109,78.47.131.171,78.47.139.126,78.47.148.73,78.47.174.133,78.47.205.132,78.47.206.2,78.47.21.102,78.47.217.170,78.47.228.95,78.47.52.87,78.47.58.10,78.47.58.189,78.47.76.223,88.198.106.179,88.198.152.36,88.198.155.171,88.198.156.50,88.198.215.110,88.198.238.203,88.99.12.119,88.99.30.225,94.130.176.151,94.130.177.15,94.130.177.235,94.130.177.46,94.130.178.100,94.130.178.19,94.130.178.26,94.130.180.25,94.130.182.132,94.130.182.44,94.130.183.147,94.130.183.89,94.130.58.171,95.179.163.68,95.216.136.244,95.216.137.76,95.216.137.84,95.216.175.68,95.217.0.102,95.217.0.62,95.217.1.2,95.217.1.36,95.217.1.42,95.217.135.251,95.217.154.233,95.217.158.182,95.217.187.31

Can you tell which other German hosters are affected?

Thx Sean

I put my banlist into Domain and IP bulk lookup tool and found Choopa and Contabo besides Hetzner there.

1 Like

Related issue:

5 Likes

If we all write abuse reports to their providers we could at least make the attackers life temporarily more difficult because they might need to switch providers.

Some countries (including germany and i think the US too) even have laws against DDoS attacks.

This all is obviously not a real solution but only a workaround because they can switch to providers that does not care about abuse reports or to providers where you can sign up anonymously.

But technically you leak Tor users IP addresses and i am not aware that the attacker has spoken up and showed proof that it’s in fact a planned attack.
Very unlikely but it could still be a heavy misconfiguration, no?

That’s why i had hoped to get an official answer from the torproject to not be a bad relay operator.