On Dec 19, 2007 12:46 AM, Scott Bennett <[EMAIL PROTECTED]> wrote: > A little while ago, I added another filter rule to the router here to > stop an apparently endless, rapid-fire series of directory requests > hitting > my tor server's DirPort from 125.35.9.66, which appears to be in China. > The > last time I reported this type of thing, you may recall, it came from a > site > in Italy. The symptom, like the last time, was that output rate on my > machine's main Ethernet interface was running steadily around the transmit > rate limit imposed by my ADSL line. dig(1) shows: > > ; <<>> DiG 9.3.4-P1 <<>> -x 125.35.9.66 any > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63929 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;66.9.35.125.in-addr.arpa. IN ANY > > ;; AUTHORITY SECTION: > 9.35.125.in-addr.arpa. 10800 IN SOA ns.bta.net.cn. > root.ns.bta.net.cn. 2006020501 28899 7200 604800 86400 > > ;; Query time: 351 msec > ;; SERVER: 66.225.32.4#53(66.225.32.4) > ;; WHEN: Wed Dec 19 02:40:29 2007 > ;; MSG SIZE rcvd: 96 > > Is anyone else having this kind of trouble, regardless of the apparent > origin(s) of the attack(s)? I don't mind legitimate requests for > directory > service tying up all or nearly all of my available output bandwidth, but I > do object to morons conducting a DoS attack to keep others from getting > directory service from my tor servers directory mirror. If others are > also > finding their tor servers being hit like this, then perhaps we need to > think > up an automated way to deny directory service to abusers in order to put a > stop to such activity. > > > Scott Bennett, Comm. ASMELG, CFIAG > ********************************************************************** > * Internet: bennett at cs.niu.edu * > *--------------------------------------------------------------------* > * "A well regulated and disciplined militia, is at all times a good * > * objection to the introduction of that bane of all free governments * > * -- a standing army." * > * -- Gov. John Hancock, New York Journal, 28 January 1790 * > ********************************************************************** >
This is just a theory, no hard facts to back it up. When I'm messing around with Tor's ControlPort, I've noticed that my Tor traffic just hangs until whatever I'm doing on the ControlPort stops. There have been a couple of times where I do something very wrong on the controlport and Tor just "freezes" (does not route any traffic) until I close my connection with the ControlPort. I'm wondering if the same is true for when someone is fetching descriptors from the DirPort? Does Tor traffic "freeze" (not route traffic) until the Dirport completes its task? Next guess... If someone where to be attacking, oh say, a hidden service, and your node was the Introduction Point for that hidden service, then perhaps someone is trying to force the owner of the hidden service to choose a new introduction point. What is the uptime of your node? Have you typically been running it for a long time? If someone is DoSing your Dirport, why not just turn it off? BTW, the SOA for your DIG request, ns.bta.net.cn (202.96.0.133), had a direct match on http://cryptome.org/nsa-ip-update13.htm Just thought you should know...