Botnet attack? [was: Re: Declining traffic]

Timo Schoeler timo.schoeler at riscworks.net
Mon Apr 26 13:59:26 UTC 2010


thus Roger Dingledine spake:
> On Fri, Apr 23, 2010 at 02:35:01PM +0200, Timo Schoeler wrote:
>> I'm seeing declining traffic over the last few weeks, please see graph:
>> It dropped from a sustainted 2,5Mbps (or more) to about a fifth, with a
>> massive drop today.
>>
>> I'm running
>>
>> tor-0.2.1.25-1.el5.rf
>>
>> on a 64Bit CentOS machine. Is there something going in the TOR network?
> 
> My first thought is that you updated your openssl rpm in centos, which
> disabled tls renegotiation in yet another new way, and that broke your
> Tor relay. Meaning your relay still worked, but it would only do tls
> renegotiation with other people with centos's particular openssl twist.
> 
> Tor 0.2.2.11-alpha fixes the issue we hope:
>     - Fix SSL renegotiation behavior on OpenSSL versions like on Centos
>       that claim to be earlier than 0.9.8m, but which have in reality
>       backported huge swaths of 0.9.8m or 0.9.8n renegotiation
>       behavior. Possible fix for some cases of bug 1346.
> 
> But we haven't yet put out a stable release that includes that patch.
> 
> So if you upgraded to the latest 0.2.2.x-alpha to get the fixes for other
> bugs, you would get the fix for this bug too. Let us know if it works.

Hi,

after installing v0.2.2.13-alpha (git-feb8c1b5f67f2c6f) and downgrading
OpenSSL before this, my setup works again -- somewhat.

When running tor, I see

i) CPU cycles being eaten up by tor almost entirely;

ii) my machine experiences things like those:

TCP: Treason uncloaked! Peer 217.230.25.218:49206/9001 shrinks window
2175675571:2175696065. Repaired.
TCP: Treason uncloaked! Peer 217.230.25.218:49206/9001 shrinks window
2175675571:2175696065. Repaired.
TCP: Treason uncloaked! Peer 217.230.25.218:49206/9001 shrinks window
2175675571:2175696065. Repaired.
TCP: Treason uncloaked! Peer 124.160.123.73:32536/9001 shrinks window
554805076:554806568. Repaired.
TCP: Treason uncloaked! Peer 87.145.230.151:58404/9001 shrinks window
2362284953:2362292307. Repaired.
TCP: Treason uncloaked! Peer 87.145.230.151:58404/9001 shrinks window
2362284953:2362292307. Repaired.
TCP: Treason uncloaked! Peer 87.145.230.151:58404/9001 shrinks window
2362284953:2362292307. Repaired.

One is a chinese dialup, the other ones are from a big German ISP
(Deutsche Telekom AG). For me it really seems as there's some kind of
botnet attack going on.

> --Roger

Timo
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list