[tor-relays] We need to talk about the latest DDoS affecting the Tor network
carlos1001
tor-relay-admin at carlos1001.com
Sat May 25 08:20:38 UTC 2024
Hi, yes, I think there is a form of DDoS happening, but I'm not sure.
For example, sampling one of my relays shows ~150 ips that are not
relays with over 14 connections currently. I don't think that amount of
connections from a single IP makes a lot of sense.
I will say, however, I'm not getting overloaded as bad compared to last
year/late 2022, or I don't think I am at least. Banning IPs that appear
to be spamming `connect()` helps a bit. Also banning malformed tcp
segments also helps a bit (think impossible combinations of TCP flags
for example).
On 5/16/2024 2:39 PM, koizoi via tor-relays wrote:
> For several weeks now, users have been complaining (see
> https://www.reddit.com/r/TOR/comments/1cnmsdz/tor_extremely_slow_lately/,
> https://forum.torproject.org/t/is-there-currently-a-major-ddos-affecting-the-networks-availability/12492,
> etc) about degraded performance (slow speeds, timeouts) when using
> Tor, both to access v3 onion sites and clearnet websites. In my
> personal experience, most v3 onion services are responding so slowly
> that they're completely unusable.
>
> it turns out that's it not just people's imaginations, looking at
> charts on metrics.torproject.org, it can be seen that the time to
> complete a 5MiB request over Tor has increased substantially
> (https://ibb.co/tp1CHdh). All of this is very reminiscent of the large
> scale DDoS that affected Tor relay nodes in 2022-2023.
>
> Tor relay operators have reported "attacks" on their relays, but there
> haven't been many details about what kind of attacks are taking place,
> other than some people saying that they have been TCP SYN flooded. But
> (to me, anyway) SYN flooding doesn't really make a lot of sense as
> there are so many Tor relay nodes that would need to be attacked, (and
> misconfigured to allow a SYN flood attack to work), and even if it
> were a SYN flood, that would cause different behavior than what users
> have been seeing (preventing connections to the Tor network rather
> than slowing them down).
>
> I understand that DDoS attacks on the Tor network might be kind of a
> touchy subject, but it would be good if we could get some information
> from the project leadership as to what's going on, what is being done
> about it, and what Tor relay operators can do to help prevent attacks
> like these from happening.
>
> Thanks
>
> Sent with Proton Mail <https://proton.me/> secure email.
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240525/23b1de33/attachment.htm>
More information about the tor-relays
mailing list