[tor-relays] NSA knew about Heartbleed
Jobiwan Kenobi
helpme.jobiwan at gmail.com
Sun Apr 13 14:50:41 UTC 2014
On Apr 12, 2014, at 12:34 , Scott Bennett wrote:
> [...] the sporadic, sudden mobbing of relays by tens to
> hundreds of times as many incoming connections as those relays
> normally get, often for up to several hours at a time. Systems
> whose CPUs are not powerful enough to keep up with the heavy
> influx of onions to be peeled become bogged down, sometimes to
> the point of their kernel listen queues overflowing and X
> servers becoming unresponsive. [...] My conclusion is that
> the massive (in relation to the background) rates of inbound
> connections are accesses to the hidden services directory part
> of a tor relay.
> Since becoming aware of Heartbleed a few days ago, I have
> been wondering whether the NSA or some other criminal group(s)
> or individual(s) might be using untraceable connections to
> HSDir-flagged relays to acquire lots of memory contents
> illegally with relay operators noticing the events main;y
> because of their deleterious effects on system performance.
I run a relay on a low-powered machine and I see this
happening from time to time. Sometimes multiple times per
week, sometimes not for a few weeks.
In my case, during those times I also have way more download
traffic than upload, so I become a data sink hole. If this
were a data gathering attack, I would expect the opposite:
more upload than download, altho this may be (somewhat)
specific to me as I have an older openssl which is supposedly
unaffected.
My (less sexy) theory is that this is caused by clients using
bittorrent over Tor and aggressively creating and abandoning
connections without properly disconnecting, causing the
imbalance between download and upload traffic.
I never tried disabling HSDir but will do so at some point to
test whether it stops these episodes from happening.
-Job
More information about the tor-relays
mailing list