Re: [tor-relays] DDOS

2016-06-14 Thread I 
not at the moment but now and then yes


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Toralf Förster 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 06/14/2016 07:03 AM, Markus Koch wrote:
> 4 of my 5 tor servers are under a incoming DDOS attack. Am I the only
> one or is anyone else feeling the "love"?
> 
attacks with about 100 MBit/sec over a minute or so happen here nearly daily, 
attacks > 500 MBit/sec over half an hour or so once a year.

- -- 
Toralf
PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAldf+QYACgkQxOrN3gB26U68+AD+Miew4zaXkkTwZW8gDifdpV7t
SGza2oufZ73ZnqwFekcA/0hVIo0zGG91f9OsKxzjW7IOZHqRagI4d2aT9M43Bhlo
=Xhwi
-END PGP SIGNATURE-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Petrusko 
Hey,

Little noob question inside :)
If possible to learn quickly how to detect a DDOS attack ?

I got Munin running behind, can it be useful with the "netstat" and
"firewall throughput" plugins graphs to see it ?
So if the server is attacked, I think it will show some big spikes in
those graphs...?

Thx ;)

ps: I'll try to find some things about this subject, np!



Le 14/06/2016 07:03, Markus Koch a écrit :
> 4 of my 5 tor servers are under a incoming DDOS attack. Am I the only
> one or is anyone else feeling the "love"?
>
> Markus
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
Petrusko
PubKey EBE23AE5
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Toralf Förster 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 06/14/2016 02:59 PM, Petrusko wrote:
> So if the server is attacked, I think it will show some big spikes in
> those graphs...?

My ISP provides traffic data/graphs.
And I do use sysstat[1] to monitor my server, which gives among other 
statistics something like [2]


[1] http://pagesperso-orange.fr/sebastien.godard/
[2] https://www.zwiebeltoralf.de/torserver/ddos_sysstat_example.txt

- -- 
Toralf
PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAldgAbEACgkQxOrN3gB26U5n3AD/bPEsnbv9BWhHMY1AxRuh7qVW
eixYqbSEoOppY9tDeLoBAI+JLiTnkIYcuAAHJuYGArnXbNqeQyzfOwrnR1ROWlMO
=P5H8
-END PGP SIGNATURE-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Markus Koch 
Or you get e-mails ...

---

Hi there,

Our system has automatically detected an inbound DDoS against your
droplet named niftyguineapig with the following IP Address:
178.62.71.57

As a precautionary measure, we have temporarily disabled network
traffic to your droplet to protect our network and other customers.
Once the attack subsides, networking will be automatically
reestablished to your droplet. The networking restriction is in place
for three hours and then removed.

Please note that we take this measure only as a last resort when other
filtering, routing, and network configuration changes have not been
effective in routing around the DDoS attack.

Please let us know if there are any questions, we're happy to help.

Thank you,
DigitalOcean Support

--

Still wondering why someone ddosed 80% of my TOR servers and nobody
else here got it too ...




2016-06-14 15:08 GMT+02:00 Toralf Förster :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 06/14/2016 02:59 PM, Petrusko wrote:
>> So if the server is attacked, I think it will show some big spikes in
>> those graphs...?
>
> My ISP provides traffic data/graphs.
> And I do use sysstat[1] to monitor my server, which gives among other 
> statistics something like [2]
>
>
> [1] http://pagesperso-orange.fr/sebastien.godard/
> [2] https://www.zwiebeltoralf.de/torserver/ddos_sysstat_example.txt
>
> - --
> Toralf
> PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iF4EAREIAAYFAldgAbEACgkQxOrN3gB26U5n3AD/bPEsnbv9BWhHMY1AxRuh7qVW
> eixYqbSEoOppY9tDeLoBAI+JLiTnkIYcuAAHJuYGArnXbNqeQyzfOwrnR1ROWlMO
> =P5H8
> -END PGP SIGNATURE-
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Roman Mamedov 
On Tue, 14 Jun 2016 15:39:30 +0200
Markus Koch  wrote:

> Or you get e-mails ...

Getting these once every few days. However I'm almost certain the issue is just
a misdetection by them of some pattern from the regular operation of a Tor
relay (for example the large amount of open connections, possibly to unusual
ports) as a DDoS.


OVH 2 rue Kellermann 59100 Roubaix
Technical support:  08.99.49.87.65 (€1.349/call + €0.337/min)
Commercial support: 08.20.69.87.65 (€0.118/min)
Fax: 03.20.20.09.58
supp...@ovh.com

   
Dear Customer,

We have just detected an attack on IP address [...].

In order to protect your infrastructure, we vacuumed up your traffic onto our 
mitigation infrastructure.

The entire attack will thus be filtered by our infrastructure, and only 
legitimate traffic will reach your servers.


At the end of the attack, your infrastructure will be immediately withdrawn 
from the mitigation.

For more information on the OVH mitigation infrastructure: 
https://www.ovh.com/fr/anti-ddos/

Regards, 

Your OVH Customer Support  
Mon - Friday: 9am - 6pm
(020) 7357 6616 Local call rate.


-- 
With respect,
Roman


pgpg_n0wjFVhv.pgp
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Green Dream 
I have relays on Digital Ocean as well, and occasionally get the same
emails. Notice the contradiction in the email:

"Once the attack subsides, networking will be automatically
reestablished to your droplet. The networking restriction is in place
for three hours and then removed."

Which one is it? Do you automatically reconnect my node when the attack
subsides, or do you just wait three hours? (It's always the latter.)

"Please note that we take this measure only as a last resort when other
filtering, routing, and network configuration changes have not been
effective in routing around the DDoS attack."

That seems to be disingenuous as well. They have never, ever done anything
other than shut of my node for 3 hours. Requests for more information about
the nature of the attack go unanswered.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Steven Jones 
iftop might be better to see

On Tue, Jun 14, 2016 at 8:59 AM, Petrusko  wrote:

> Hey,
>
> Little noob question inside :)
> If possible to learn quickly how to detect a DDOS attack ?
>
> I got Munin running behind, can it be useful with the "netstat" and
> "firewall throughput" plugins graphs to see it ?
> So if the server is attacked, I think it will show some big spikes in
> those graphs...?
>
> Thx ;)
>
> ps: I'll try to find some things about this subject, np!
>
>
>
> Le 14/06/2016 07:03, Markus Koch a écrit :
> > 4 of my 5 tor servers are under a incoming DDOS attack. Am I the only
> > one or is anyone else feeling the "love"?
> >
> > Markus
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> --
> Petrusko
> PubKey EBE23AE5
> C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Petrusko 
Thx all for those useful tools,
time to try some ;)

About the main subject, nothing about DDOS on my node...
(no mails, no spikes on my graphs)

Thx


Le 14/06/2016 à 19:49, Steven Jones a écrit :
> iftop might be better to see
>
> On Tue, Jun 14, 2016 at 8:59 AM, Petrusko  > wrote:
>
> Hey,
>
> Little noob question inside :)
> If possible to learn quickly how to detect a DDOS attack ?
>
> I got Munin running behind, can it be useful with the "netstat" and
> "firewall throughput" plugins graphs to see it ?
> So if the server is attacked, I think it will show some big spikes in
> those graphs...?
>
> Thx ;)
>
> ps: I'll try to find some things about this subject, np!
>
>
>
> Le 14/06/2016 07:03, Markus Koch a écrit :
> > 4 of my 5 tor servers are under a incoming DDOS attack. Am I the
> only
> > one or is anyone else feeling the "love"?
> >
> > Markus
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> 
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> --
> Petrusko
> PubKey EBE23AE5
> C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
Petrusko
PubKey EBE23AE5
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays