[tor-relays] unbound bogs down strangely, degrading exit relay
Dhalgren Tor
dhalgren.tor at gmail.com
Fri Mar 18 15:46:56 UTC 2016
As with the earlier incident, problem came back within hours of
restarting the daemons.
Was able to figure out what's happening Operators running 'unbound' take note!
Problem appears to be the result of someone attempting to DDOS a DNS
service, in this case GoDaddy.
Ran
lsof -Pn -p <unbnd_pid>
a few times and observed numerous SYN_SENT TCP connections, of of them
to 208.109.255.0/24, where GoDaddy DNS servers are found. Appears
GoDaddy is rate-limiting or blocking requests from the 'unbound'
instance on the relay IP.
Ran
unbound-control dump_requestlist
and see a large queue of requests to GoDaddy. Finally ran
unbound-control dump_infra >infralst
and see 14000 lines similar to
208.109.255.26 cycsErvicioSsAS.coM. expired rto 120000
indicating a huge number of requests have been made to GoDaddy and
have expired after 120 seconds.
Presently the quantity of requests has fallen off and the exit is
operating fine. Have alarmed the tell-tale log message. When it
recurs I expect
unbound-control purge_requestlist
will mitigate the problem. Presently looking into configuring
'ratelimit' feature of 'unbound'. If anyone has already done this
successfully please post to this thread.
More information about the tor-relays
mailing list