Botnet attack? [was: Re: Declining traffic]
Timo Schoeler
timo.schoeler at riscworks.net
Mon Apr 26 13:59:26 UTC 2010
thus Roger Dingledine spake:
> On Fri, Apr 23, 2010 at 02:35:01PM +0200, Timo Schoeler wrote:
>> I'm seeing declining traffic over the last few weeks, please see graph:
>> It dropped from a sustainted 2,5Mbps (or more) to about a fifth, with a
>> massive drop today.
>>
>> I'm running
>>
>> tor-0.2.1.25-1.el5.rf
>>
>> on a 64Bit CentOS machine. Is there something going in the TOR network?
>
> My first thought is that you updated your openssl rpm in centos, which
> disabled tls renegotiation in yet another new way, and that broke your
> Tor relay. Meaning your relay still worked, but it would only do tls
> renegotiation with other people with centos's particular openssl twist.
>
> Tor 0.2.2.11-alpha fixes the issue we hope:
> - Fix SSL renegotiation behavior on OpenSSL versions like on Centos
> that claim to be earlier than 0.9.8m, but which have in reality
> backported huge swaths of 0.9.8m or 0.9.8n renegotiation
> behavior. Possible fix for some cases of bug 1346.
>
> But we haven't yet put out a stable release that includes that patch.
>
> So if you upgraded to the latest 0.2.2.x-alpha to get the fixes for other
> bugs, you would get the fix for this bug too. Let us know if it works.
Hi,
after installing v0.2.2.13-alpha (git-feb8c1b5f67f2c6f) and downgrading
OpenSSL before this, my setup works again -- somewhat.
When running tor, I see
i) CPU cycles being eaten up by tor almost entirely;
ii) my machine experiences things like those:
TCP: Treason uncloaked! Peer 217.230.25.218:49206/9001 shrinks window
2175675571:2175696065. Repaired.
TCP: Treason uncloaked! Peer 217.230.25.218:49206/9001 shrinks window
2175675571:2175696065. Repaired.
TCP: Treason uncloaked! Peer 217.230.25.218:49206/9001 shrinks window
2175675571:2175696065. Repaired.
TCP: Treason uncloaked! Peer 124.160.123.73:32536/9001 shrinks window
554805076:554806568. Repaired.
TCP: Treason uncloaked! Peer 87.145.230.151:58404/9001 shrinks window
2362284953:2362292307. Repaired.
TCP: Treason uncloaked! Peer 87.145.230.151:58404/9001 shrinks window
2362284953:2362292307. Repaired.
TCP: Treason uncloaked! Peer 87.145.230.151:58404/9001 shrinks window
2362284953:2362292307. Repaired.
One is a chinese dialup, the other ones are from a big German ISP
(Deutsche Telekom AG). For me it really seems as there's some kind of
botnet attack going on.
> --Roger
Timo
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list