[tor-relays] a characteristic of recent attacks?

Mailing Lists tor-relays
1

The vast majority of recent surges of unusual activity on my humble
relay, which I take as likely being attacks, result in large changes in
the hour-to-hour statistic shown below in these lines extracted from the
hourly heartbeat message groups.

Aug 31 19:02:28.549 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1706742 INTRODUCE2 rejected.
Aug 31 20:02:28.546 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1706742 INTRODUCE2 rejected.
Aug 31 21:02:28.549 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1706742 INTRODUCE2 rejected.
Aug 31 22:02:28.544 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1770970 INTRODUCE2 rejected.
Aug 31 23:02:28.556 [notice] Heartbeat: DoS mitigation since startup: 16 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 2013266 INTRODUCE2 rejected.

The most recent such surge appears to have ended less than an hour ago.
Note that there was no change in the count of "INTRODUCE2 rejected" for
many hours leading up to the onset of unusual activity, though I've only
shown three prior hours' worth. Then there is an increase of 63227 in
this count during the first hour and another 41296 during the second
hour. Often during these periods the input appears to be maxed out, and
sometimes the output rate is still higher by several hundred KB/s.
     My question is, do other relay operators whose relays are being
attacked see the same phenomenon? In addition, if someone knows of an
effective way to turn such things aside at less cost than be simply
leaving them to tor to deal with, I'd love to know about it, too, though
I suspect there may be no such method.
     Thanks in advance for any relevant information!

                                  Scott Bennett, Comm. ASMELG, CFIAG

···

**********************************************************************
* Internet: bennett at sdf.org *xor* bennett at freeshell.org *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like
2

      My question is, do other relay operators whose relays are being
attacked see the same phenomenon?

My relay's (8F6A78B1EA917F2BF221E87D14361C050A70CCC3) heartbeat messages show a steady increase. This could be because I only get HB every 6 hours.

In addition, if someone knows of an
effective way to turn such things aside at less cost than be simply
leaving them to tor to deal with, I'd love to know about it, too, though
I suspect there may be no such method.

I use connection limits in my firewall. At the moment the counters show 154M connections dropped from 595 IP addresses vs 13M connections let through.

This measure has helped the relay run smoother but it still gets flagged as overloaded.

···

On 2022-09-01 06:53, Scott Bennett wrote:
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like
3

     The vast majority of recent surges of unusual activity on my humble
relay, which I take as likely being attacks, result in large changes in
the hour-to-hour statistic shown below in these lines extracted from the
hourly heartbeat message groups.

Aug 31 19:02:28.549 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1706742 INTRODUCE2 rejected.
Aug 31 20:02:28.546 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1706742 INTRODUCE2 rejected.
Aug 31 21:02:28.549 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1706742 INTRODUCE2 rejected.
Aug 31 22:02:28.544 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1770970 INTRODUCE2 rejected.
Aug 31 23:02:28.556 [notice] Heartbeat: DoS mitigation since startup: 16 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 2013266 INTRODUCE2 rejected.

The most recent such surge appears to have ended less than an hour ago.
Note that there was no change in the count of "INTRODUCE2 rejected" for
many hours leading up to the onset of unusual activity, though I've only
shown three prior hours' worth. Then there is an increase of 63227 in

                                                                ^^^^^

this count during the first hour and another 41296 during the second

                                               ^^^^^
     Obviously, the above figures should have been 64228 and 242296. Either
way, they seem like an awful lot of bungled hidden service access attempts
to occur within an hour, so it's either a bug in hidden services (which
would not be unheard of) or it's a deliberate attack.

hour. Often during these periods the input appears to be maxed out, and
sometimes the output rate is still higher by several hundred KB/s.
     My question is, do other relay operators whose relays are being
attacked see the same phenomenon? In addition, if someone knows of an
effective way to turn such things aside at less cost than be simply
leaving them to tor to deal with, I'd love to know about it, too, though
I suspect there may be no such method.
     Thanks in advance for any relevant information!

                                  Scott Bennett, Comm. ASMELG, CFIAG

···

Scott Bennett <bennett@sdf.org> wrote:
**********************************************************************
* Internet: bennett at sdf.org *xor* bennett at freeshell.org *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like