[tor-relays] Overload (dropped ntor) due to DDoS??

Hi All

I have a non exit relay running on a root server (4 AMD Epyc cores, 8 GB RAM, 2.5 GBit/s Ethernet)
I have limited tor to numcpus 2, relaybandwidthburst 15 MB, hardwareaccel 1, maxadvertisedbandwidth 10 MB, maxmeminqueues 3GB

Usually it takes less than 1 CPU core, and like 1 GB of RAM.
But recently my relay is foten shown as obverloaded.
I have these LOG entries:
Tor[814]: General overload -> Ntor dropped (290376) fraction 5.3451% is above threshold of 0.5000%

Is this due to DDoS attacks or a misconfigration on my side?
Is there something that I can do to aleviate this issue?

CU, Ricsi

ยทยทยท

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Richard Menedetter wrote:

Hi All

I have a non exit relay running on a root server (4 AMD Epyc cores, 8 GB RAM, 2.5 GBit/s Ethernet)
I have limited tor to numcpus 2, relaybandwidthburst 15 MB, hardwareaccel 1, maxadvertisedbandwidth 10 MB, maxmeminqueues 3GB

Thanks for running a relay!

didn't you also use RelayBandwidthRate along with RelayBandwidthBurst ?

Usually it takes less than 1 CPU core, and like 1 GB of RAM.
But recently my relay is foten shown as obverloaded.
I have these LOG entries:
Tor[814]: General overload -> Ntor dropped (290376) fraction 5.3451% is above threshold of 0.5000%

You are not the only one, it's an ongoing DoS attack on the network, targeting onion services.

Is this due to DDoS attacks or a misconfigration on my side?

Besides the question above about RelayBandwidthRate I don't see anything wrong.

Is there something that I can do to aleviate this issue?

Nope, there is nothing you can do, unfortunately. Tor has some defenses against DoS and will blacklist / mark the abusing addresses, etc. as much as it can. But as you know DoS is a never ending battle, usually won by having "larger pipe", and it's something hard to tickle in an environment where anonymity is the grounding law.

What you can do is maintain your relay up and running in good shape with the latest version of Tor until this "attack" gets through. As I said, I guess most of relays are getting this at present times. The DoS "attack" is not targeted at your relay, what you are seeing is just a side effect of someone creating large amounts of circuits (heavy usage of Tor) which is reflected network-wide anyways.

ยทยทยท

CU, Ricsi

1 Like

Richard Menedetter wrote:

> I have a non exit relay running on a root server (4 AMD Epyc cores, 8 GB
> RAM, 2.5 GBit/s Ethernet) I have limited tor to numcpus 2,

Why? Do you have other services on the server? Otherwise, omit num CPU. Let
the tor daemon use all CPU's for crypto stuff.

> relaybandwidthburst 15 MB, hardwareaccel 1, maxadvertisedbandwidth 10 MB,
> maxmeminqueues 3GB

Thanks for running a relay!

didn't you also use RelayBandwidthRate along with RelayBandwidthBurst ?

>
> Usually it takes less than 1 CPU core, and like 1 GB of RAM.
> But recently my relay is foten shown as obverloaded.
> I have these LOG entries:
> Tor[814]: General overload -> Ntor dropped (290376) fraction 5.3451% is
> above threshold of 0.5000%

You are not the only one, it's an ongoing DoS attack on the network,
targeting onion services.

>
> Is this due to DDoS attacks or a misconfigration on my side?

Besides the question above about RelayBandwidthRate I don't see anything
wrong.

> Is there something that I can do to aleviate this issue?

Nope, there is nothing you can do, unfortunately. Tor has some defenses
against DoS and will blacklist / mark the abusing addresses, etc. as
much as it can. But as you know DoS is a never ending battle, usually
won by having "larger pipe", and it's something hard to tickle in an
environment where anonymity is the grounding law.

What you can do is maintain your relay up and running in good shape with
the latest version of Tor until this "attack" gets through. As I said, I
guess most of relays are getting this at present times. The DoS "attack"
is not targeted at your relay, what you are seeing is just a side effect
of someone creating large amounts of circuits (heavy usage of Tor) which
is reflected network-wide anyways.

Sometimes 100.000-1.000.000 connections from one IP!
I block the worst with 2 nftables egress rules.

toralf has developed some smarter ddos scripts:

ยทยทยท

On Friday, August 5, 2022 1:11:27 AM CEST s7r wrote:

--
โ•ฐ_โ•ฏ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!