[tor-relays] Overload (dropped ntor) due to DDoS??

lists at for-privacy.net lists at for-privacy.net
Fri Aug 5 14:42:55 UTC 2022 

On Friday, August 5, 2022 1:11:27 AM CEST s7r wrote:
> Richard Menedetter wrote:

> > I have a non exit relay running on a root server (4 AMD Epyc cores, 8 GB
> > RAM, 2.5 GBit/s Ethernet) I have limited tor to numcpus 2,
Why? Do you have other services on the server? Otherwise, omit num CPU. Let 
the tor daemon use all CPU's for crypto stuff.

> > relaybandwidthburst 15 MB, hardwareaccel 1, maxadvertisedbandwidth 10 MB,
> > maxmeminqueues 3GB
> 
> Thanks for running a relay!
> 
> didn't you also use RelayBandwidthRate along with RelayBandwidthBurst ?
> 
> 
> > 
> > Usually it takes less than 1 CPU core, and like 1 GB of RAM.
> > But recently my relay is foten shown as obverloaded.
> > I have these LOG entries:
> > Tor[814]: General overload -> Ntor dropped (290376) fraction 5.3451% is
> > above threshold of 0.5000%
> 
> You are not the only one, it's an ongoing DoS attack on the network, 
> targeting onion services.
> 
> 
> > 
> > Is this due to DDoS attacks or a misconfigration on my side?
> 
> 
> Besides the question above about RelayBandwidthRate I don't see anything 
> wrong.
> 
> 
> > Is there something that I can do to aleviate this issue?
> 
> 
> Nope, there is nothing you can do, unfortunately. Tor has some defenses 
> against DoS and will blacklist / mark the abusing addresses, etc. as 
> much as it can. But as you know DoS is a never ending battle, usually 
> won by having "larger pipe", and it's something hard to tickle in an 
> environment where anonymity is the grounding law.
> 
> What you can do is maintain your relay up and running in good shape with 
> the latest version of Tor until this "attack" gets through. As I said, I 
> guess most of relays are getting this at present times. The DoS "attack" 
> is not targeted at your relay, what you are seeing is just a side effect 
> of someone creating large amounts of circuits (heavy usage of Tor) which 
> is reflected network-wide anyways.
Sometimes 100.000-1.000.000 connections from one IP!
I block the worst with 2 nftables egress rules.

toralf has developed some smarter ddos scripts:
https://github.com/toralf/torutils


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20220805/e17cb7a4/attachment.sig>

More information about the tor-relays mailing list