[tor-relays] Relay DDoS attack?

teor teor2345 at gmail.com
Sat Oct 14 12:14:40 UTC 2017


> On 14 Oct 2017, at 01:59, Peter Rogers <peter.rogers at gmail.com> wrote:
> 
> Hi!
> 
> I've been running a Tor non-exit node at my business for a few months now. So far it's been great! Except yesterday when I noticed my internet was at a crawl. I traced the problem back to a large number of inbound connections that completely overwhelmed my little router. (4096 connections, the configured limit) All the connections were being made to my tor relay from outside IPs. The tor log file was filling with this:
> 
> Oct 13 14:21:29.000 [warn] assign_to_cpuworker failed. Ignoring.
> Oct 13 14:21:29.000 [warn] assign_to_cpuworker failed. Ignoring.
> Oct 13 14:21:30.000 [warn] Your computer is too slow to handle this many circuit creation requests! Please consider using the MaxAdvertisedBandwidth config option or choosing a more restricted exit policy. [1779 similar message(s) suppressed in last 60 seconds]
> 
> I shutdown the relay, then eventually disconnected my internal network from the router hoping the traffic would slow. It continued for maybe another 2-3 hours until I finally unplugged the router and left for the weekend.
> 
> I was able to capture some of the traffic and found most of it originated from other tor (non-exit) relay nodes. In a 5 minute sample there was some 170,000 syn packets sent by some 4000+ unique IPs. I used a script to check the collected IPs against the list of known tor nodes and they're almost all tor (non-exit) relays.
> 
> Hopefully it auto-fixes itself when I'm back at work Monday morning. But mostly I'm curious to know what's going on. Anybody encounter a situation like this?

There are about 7000 relays in the Tor network.
Any Tor relay expects to be able to connect to them all, simultaneously.
This is completely normal.

If you want to keep running a Tor relay:
> Please consider using the MaxAdvertisedBandwidth config option
or get a better router.

T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171014/20c9abe3/attachment.html>


More information about the tor-relays mailing list