[tor-relays] Performance issues/DoS from outgoing Exit connections

Hello,

on the evening of 2022-10-18, we (Artikel10) started getting alerts about our Tor servers, while our traffic declined sharply. When we investigated, we found that there were hundreds of thousands of TCP connections (per server) open to a single address, orders of magnitude more than any other address. We blocked this address via “ExitPolicy reject”, then another one, and since then things seem to have improved.

I have thrown together a small Python script to detect this and generate “ExitPolicy reject” lines automatically:
https://github.com/artikel10/surgeprotector

This is still experimental, so if you decide to give the script a try, please keep an eye on it.

Kind regards,
Alexander

IMO a "reload tor" is fully sufficient and should be preferrred over
"restart", or ?

Years ago I wrote a bash script, which created for an ip to be blocked
just an own file. Such a file can be easily removed and then tor
reloaded to unblock that ip

Just tested because Applied Privacy and I have the problem that the exit
policy rules do not work with some IPs¹.

Last night at 10pm: IP 79.137.192.228 had 500k connections. Added the IP to
the exit policy and reloaded tor.

Policy in that order:
ExitPolicy reject 79.137.192.228/32:*
ExitPolicy reject *:22
ExitPolicy reject *:25
ExitPolicy accept *:*

12 hours later the IP still has over 100k connections.
-> systemctl restart tor
1 hour later the IP has 0 connections

¹ExitPolicy should apply to already established outbound connections (with a config option, off by default) (#40676) · Issues · The Tor Project / Core / Tor · GitLab

Toralf Förster <toralf.foerster@gmx.de> hat am 22.10.2022 22:40 CEST geschrieben:

IMO a "reload tor" is fully sufficient and should be preferrred over
"restart", or ?

A "reload" will update the ExitPolicy, but not drain existing connections very quickly, at least on our servers. Feel free to use whatever your preferred command/script is, though.

Kind regards,
Alexander