Re: [tor-relays] Recent wave of abuse on Tor guards

[niftybunny]

Short answer:

https://i.imgur.com/8QLptcz.png 

Around 15000 - 18000 connections I can see with netstat. Even my 300 mbit exit 
has less and there a a lot of Leaseweb clients connecting to me ... 
The interesting thing is, it comes and goes in waves. From 6000 (normal) to 
2 connections within an hour.
Someone doesn't like me very much :(

Markus



> On 22. Dec 2017, at 08:42, Felix  wrote:
> 
> Am 22-Dec-17 um 08:25 schrieb niftybunny:
>> Still under heavy attack even with the MaxMemInQueues and 0.3.2.8-rc. I
>> need 2 xeons to push 30 mbit as a guard/middle …
> 
> Do you want to share some information:
> 
> Type i)
> (memory exhaustion by too many circuits)
> What is the memory(top) per tor and its MaxMemInQueues ?
> How many circuits per hour in log ?
> 
> Type ii)
> (cpu exhaustion by too many 'half open' tor connections)
> Is your number of open files normal (fw in place) and moderate
> connection counts per remote IP ?
> 
> Type iii)
> (One fills your server with too many long fat pipes, first ACK and RTT)
> If on Freebsd, is "mbuf clusters in use" (netstat -m) moderate ?
> Do you get "kern.ipc.nmbclusters limit reached" in messages ?
> 
> -- 
> Cheers, Felix
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] New Relay Online/Working on AWS Cloud Torproject

[Gary Smith]

Hello.

I use AWS to test the alpha release, on the free tier. If you dont mind me
asking, I am interested to know what you are doing to avoid a bill Amazon
bill at the end of the month.

I think I had about 30GB data transfer or so & a few other things and they
sent me a bill for USD 0.70 ish (not at lot I know lol), but potentially it
could be in the thousands of dollars or more if you are not careful. Is
there a region that is "best" to use? AWS' internet is pretty fast, I
transfered a file from 12GB file from Google Drive using Chrome in the VM
in about 15 or so seconds.

Also I noted that there are many entries in /var/log/auth.log that many
people try to connect via SSH (username byebye is a popular one for some
reason), more connection attempts than my home internet connection gets
perhaps

Many Thanks.

On Wed, Dec 20, 2017 at 2:35 PM, Conrad Rockenhaus 
wrote:

>
>
> On Dec 20, 2017, at 5:01 AM, teor  wrote:
>
>
> On 20 Dec 2017, at 20:59, Conrad Rockenhaus  wrote:
>
> ConradsAWSRelay was started back up on a new AWS instance running Amazon
> Linux and it’s hash is now 9F7F05699131E1E2A22F70B83E8CBB4671F5FEE2. I
> have upgraded to Tor 0.3.1.9…. I had issues with getting the libevent
> development header dependencies resolved on Amazon Linux so I just compiled
> it on Red Hat and brought it over. More than likely I overlooked something
> and caused a cascade of failures from there, anyway, it’s up.
>
> Additionally, I brought up ConradsAWSExit, 
> 1B47E33F9D422CC97BD2DDA1F082BFF2FC58E79A,
> to help out with that area. I may bandwidth limit this one depending on
> load,  I will have to wait and see how much traffic it gets since I don’t
> have unlimited $$$ to allocate to my new hobby :).
>
>
> Yes, running nodes at AWS can be expensive.
> I'm also interested to see what abuse complaints you get.
>
>
> I’m mainly running this stuff on AWS because AWS is my playground for the
> new Cloud based solution I’m working on, just because I can start instances
> up with Amazon Linux, FreeBSD, Debian, etc. I am interested to see what the
> abuse process is as well. I will ensure that the costs are controlled so
> I’m not out of pocket too much.
>
> Eventually the permanent home will be moved to the new cabinet I’m going
> to be renting at a datacenter near my home.
>
>
> If someone could take another look and provide me any
> feedback/constructive criticism about these two nodes, I would greatly
> appreciate it.
>
>
> Since you control multiple relays, please set MyFamily on all of them:
>
> MyFamily fingerprint1,fingerprint2
>
> This is important because they are in different IPv4 /16s.
> (It will be even more important if one has the Guard flag, and the other
> has the Exit flag.)
>
>
> Done, should see it in atlas within the hour.
>
>
> Does AWS have native IPv6 yet?
>
> If so, please set on both relays:
>
> ORPort [IPv6]:Port
>
> And on the Exit:
>
> IPv6Exit 1
>
> You could connect to IPv6 using a nearby free tunnel service
> (Hurricane Electric is good, and has good peering with AWS),
> but this is not as fast or reliable as native IPv6.
>
> But as a learning experience, it's a good way to get IPv6.
>
>
> I see that AWS does have native IPv6, but I have to get it enabled on my
> VPC before I can get these two instances up on IPv6. I will let y’all know
> when that’s done.
>
>
> Thank you for everyone’s advise! I also appreciate the input regarding
> the revitalization of the Cloud project again. Another person has also
> volunteered to assist in the project so hopefully things should start
> moving here pretty soon!
>
>
> That's exciting.
> It would be great for people to be able to choose between multiple
> providers. Free VPSs are a great way to learn how to set up a relay.
>
> The biggest issue with the cloud image was that it wasn't kept up
> to date. I wonder if there's a way of doing that automatically.
>
> I also wonder if there's a way of giving people a BSD image option
> as well.
>
>
> My intent with the new cloud image architecture is to provide a
> multi-arch, portable, fast, and secure solution that will deploy tor
> relays. Another person has volunteered to assist me with this so with three
> people working on this I do hope that we will be able to keep things up to
> date, but my main goal is to have that somewhat automated.
>
> Speaking of which, I do wonder what the thoughts are on this idea. I would
> like to have two derivatives of the cloud package, one for novices and one
> for those who do not consider themselves novices. The novice package will
> be centrally managed by Puppet, so all the user has to do is spin up an
> instance, updates will be handled by the master.
>
> The non-novice package will be managed by chef. My main question is what
> are the thoughts on using Puppet? Would that be an acceptable solution for
> a non-novice solution or is that too much of a risk?
>
> Thanks,
>
> Conrad
>
>
> T
> ___
> tor-relays mailing list
> t

Re: [tor-relays] New Relay Online/Working on AWS Cloud Torproject

[teor]

> On 22 Dec 2017, at 21:08, Gary Smith  wrote:
> 
> Hello.
> 
> I use AWS to test the alpha release, on the free tier. If you dont mind me 
> asking, I am interested to know what you are doing to avoid a bill Amazon 
> bill at the end of the month.
> 
> I think I had about 30GB data transfer or so & a few other things and they 
> sent me a bill for USD 0.70 ish (not at lot I know lol), but potentially it 
> could be in the thousands of dollars or more if you are not careful. Is there 
> a region that is "best" to use? AWS' internet is pretty fast, I transfered a 
> file from 12GB file from Google Drive using Chrome in the VM in about 15 or 
> so seconds.

I use AccountingMax, and set it about 1GB below the limit.

Make sure you choose the right AccountingRule for AWS.
(Some providers use max upload or download, and some use sum.)

T

> Also I noted that there are many entries in /var/log/auth.log that many 
> people try to connect via SSH (username byebye is a popular one for some 
> reason), more connection attempts than my home internet connection gets 
> perhaps
> 
> Many Thanks.
> 
> On Wed, Dec 20, 2017 at 2:35 PM, Conrad Rockenhaus  
> wrote:
> 
> 
>> On Dec 20, 2017, at 5:01 AM, teor  wrote:
>> 
>> 
>> On 20 Dec 2017, at 20:59, Conrad Rockenhaus  wrote:
>> 
>>> ConradsAWSRelay was started back up on a new AWS instance running Amazon 
>>> Linux and it’s hash is now 9F7F05699131E1E2A22F70B83E8CBB4671F5FEE2. I have 
>>> upgraded to Tor 0.3.1.9…. I had issues with getting the libevent 
>>> development header dependencies resolved on Amazon Linux so I just compiled 
>>> it on Red Hat and brought it over. More than likely I overlooked something 
>>> and caused a cascade of failures from there, anyway, it’s up.
>>> 
>>> Additionally, I brought up ConradsAWSExit, 
>>> 1B47E33F9D422CC97BD2DDA1F082BFF2FC58E79A, to help out with that area. I may 
>>> bandwidth limit this one depending on load,  I will have to wait and see 
>>> how much traffic it gets since I don’t have unlimited $$$ to allocate to my 
>>> new hobby :).
>> 
>> Yes, running nodes at AWS can be expensive.
>> I'm also interested to see what abuse complaints you get.
> 
> I’m mainly running this stuff on AWS because AWS is my playground for the new 
> Cloud based solution I’m working on, just because I can start instances up 
> with Amazon Linux, FreeBSD, Debian, etc. I am interested to see what the 
> abuse process is as well. I will ensure that the costs are controlled so I’m 
> not out of pocket too much.
> 
> Eventually the permanent home will be moved to the new cabinet I’m going to 
> be renting at a datacenter near my home.
> 
>> 
>>> If someone could take another look and provide me any feedback/constructive 
>>> criticism about these two nodes, I would greatly appreciate it.
>> 
>> Since you control multiple relays, please set MyFamily on all of them:
>> 
>> MyFamily fingerprint1,fingerprint2
>> 
>> This is important because they are in different IPv4 /16s.
>> (It will be even more important if one has the Guard flag, and the other
>> has the Exit flag.)
> 
> Done, should see it in atlas within the hour.
> 
>> 
>> Does AWS have native IPv6 yet?
>> 
>> If so, please set on both relays:
>> 
>> ORPort [IPv6]:Port
>> 
>> And on the Exit:
>> 
>> IPv6Exit 1
>> 
>> You could connect to IPv6 using a nearby free tunnel service
>> (Hurricane Electric is good, and has good peering with AWS),
>> but this is not as fast or reliable as native IPv6.
>> 
>> But as a learning experience, it's a good way to get IPv6.
>> 
> 
> I see that AWS does have native IPv6, but I have to get it enabled on my VPC 
> before I can get these two instances up on IPv6. I will let y’all know when 
> that’s done.
> 
> 
>>> Thank you for everyone’s advise! I also appreciate the input regarding the 
>>> revitalization of the Cloud project again. Another person has also 
>>> volunteered to assist in the project so hopefully things should start 
>>> moving here pretty soon!
>> 
>> That's exciting.
>> It would be great for people to be able to choose between multiple
>> providers. Free VPSs are a great way to learn how to set up a relay.
>> 
>> The biggest issue with the cloud image was that it wasn't kept up
>> to date. I wonder if there's a way of doing that automatically.
>> 
>> I also wonder if there's a way of giving people a BSD image option
>> as well.
> 
> My intent with the new cloud image architecture is to provide a multi-arch, 
> portable, fast, and secure solution that will deploy tor relays. Another 
> person has volunteered to assist me with this so with three people working on 
> this I do hope that we will be able to keep things up to date, but my main 
> goal is to have that somewhat automated.
> 
> Speaking of which, I do wonder what the thoughts are on this idea. I would 
> like to have two derivatives of the cloud package, one for novices and one 
> for those who do not consider themselves novices. The novice package will be 
> centrally managed by Puppet, s

Re: [tor-relays] Become a Fallback Directory Mirror

[teor]

> On 22 Dec 2017, at 16:37, Aneesh Dogra  wrote:
> 
> D8972986BE19E0287770DF51C47C630A53DC6E97
> 
> Thanks
> -Aneesh

Hi Aneesh,

Your relay needs a DirPort to be a fallback directory mirror.
(This is an old requirement, we hope to fix it at some point.)

Your DirPort should be on 9030 by default.
Or you can configure a DirPort on PORT_NUMBER using:

DirPort PORT_NUMBER

Let us know when you've configured a DirPort, and we'll put your relay
on the list.

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org






signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] New Relay Online/Working on AWS Cloud Torproject

[nusenu]

Conrad Rockenhaus:
> I noticed this when I started it up. It appears that the version of
> Tor on EPEL is out of date. I’ll build it out of source to fix it.
> I’ll probably have to do that for the Cloud solution as well since
> the lifecycle of EPEL is normally behind.

0.2.9.14 reached stable ~16 hours ago 
(generally a EPEL package stays in testing for 2 weeks before reaching stable)
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-97efaab7e7

If you do not want to build yourself you can enable the EPEL testing repo
to get updates faster.
If timely tor updates is a top priority, you might want to choose another OS.

Also please enable auto updates on your images so we avoid having lots of 
outdated
relays on the network.

https://trac.torproject.org/projects/tor/wiki/OperatorsTips/RPMUpdates#CentOSandRHEL

- please automate the process of setting a proper MyFamily configuration
- please ensure that relays have a meaningful ContactInfo set 


please do not forget to set MyFamily on all your relays
https://atlas.torproject.org/#details/A5C6D2EBCCA77D0B09364DD6B75FEC817AF977FA

teor wrote:
> I also wonder if there's a way of giving people a BSD image option
> as well.

Yes, BSD images would be great!


IMHO the biggest drawback with AWS is bw cost - which is a 
lot more expensive than most other hosters. With the same kind of
money operators would be able to push a lot more traffic if they choose an
unmetered hoster. From a cost point of view I would advise against AWS.


thanks for your efforts

-- 
https://mastodon.social/@nusenu
twitter: @nusenu_



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Become a Fallback Directory Mirror

[Paul Templeton]

You can throw 867B95CACD64653FEEC4D2CEFC5C49B4620307A7 into the mix - its my 
only stable server with little load.

I would have IPv6 but OVH AU has some sort of problem - have had a ticket open 
for two weeks now.

Paul

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Become a Fallback Directory Mirror

[Aneesh Dogra]

On Fri, Dec 22, 2017 at 3:51 PM, teor  wrote:

>
> > On 22 Dec 2017, at 16:37, Aneesh Dogra  wrote:
> >
> > D8972986BE19E0287770DF51C47C630A53DC6E97
> >
> > Thanks
> > -Aneesh
>
> Hi Aneesh,
>
> Your relay needs a DirPort to be a fallback directory mirror.
> (This is an old requirement, we hope to fix it at some point.)
>
> Your DirPort should be on 9030 by default.
> Or you can configure a DirPort on PORT_NUMBER using:
>
> DirPort PORT_NUMBER
>
> Let us know when you've configured a DirPort, and we'll put your relay
> on the list.
>
> T
>
>
Hey Teor,

Thanks for your reply. I have added my DirPort in torcc as 9030 and
restarted my relay. Let me know if you need anything else.

Thanks
-Aneesh



> --
> Tim Wilson-Brown (teor)
>
> teor2345 at gmail dot com
> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
> ricochet:ekmygaiu4rzgsk6n
> xmpp: teor at torproject dot org
> 
>
>
>
>


-- 
Regardless, I hope you're well and happy -
Aneesh
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] first impression with 0.3.2.8-rcant a fast exit relay

[David Goulet]

On 22 Dec (00:20:38), Toralf Förster wrote:
> With 0.3.2.7-rc the command
>   /usr/sbin/iftop -B -i eth0 -P -N -n -m 320M
> showed every then and when (few times in a hour) for 10-20 sec a traffic 
> value of nearly 0 bytes for the short-term period (the left of the 3 values).
> Usuaally I do poberve between 6 and 26 MByte/sec.
> With the Tor version from today now the outage is about 1-2 sec, but does 
> still occur.

Not sure I fully understand here what you mean. For 1 to 2 sec  you see
0 bytes of outbound traffic :| ?

Doing the same on my fast non-Exit relay (~20MB/s) on the latest 0.3.2, I'm
always capped both ways on the connection.

This systematic delay really sounds more on the kernel side of things.

Are you on BSD or Linux?

Thanks!
David

> Not sure, if this is an expected behaviour or a local problem.
> 
> -- 
> Toralf
> PGP C4EACDDE 0076E94E
> 




> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


-- 
DMdcRweJVXVbzthX2gDiX2OwwF5dP4HgkREJLd+rUJM=


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Recent wave of abuse on Tor guards

[Tyler Johnson]

Out off 133 IPs blocked with my rather aggressive firewall ruleset:

leaseweb.com - 26
your-server.de - 66
ip-54-36-51.eu - 17

That was in < 24hrs.

On Dec 22, 2017 3:38 AM, "niftybunny"  wrote:

> Short answer:
>
> https://i.imgur.com/8QLptcz.png
>
> Around 15000 - 18000 connections I can see with netstat. Even my 300 mbit
> exit has less and there a a lot of Leaseweb clients connecting to me ...
> The interesting thing is, it comes and goes in waves. From 6000 (normal)
> to 2 connections within an hour.
> Someone doesn't like me very much :(
>
> Markus
>
>
>
> On 22. Dec 2017, at 08:42, Felix  wrote:
>
> Am 22-Dec-17 um 08:25 schrieb niftybunny:
>
> Still under heavy attack even with the MaxMemInQueues and 0.3.2.8-rc. I
> need 2 xeons to push 30 mbit as a guard/middle …
>
>
> Do you want to share some information:
>
> Type i)
> (memory exhaustion by too many circuits)
> What is the memory(top) per tor and its MaxMemInQueues ?
> How many circuits per hour in log ?
>
> Type ii)
> (cpu exhaustion by too many 'half open' tor connections)
> Is your number of open files normal (fw in place) and moderate
> connection counts per remote IP ?
>
> Type iii)
> (One fills your server with too many long fat pipes, first ACK and RTT)
> If on Freebsd, is "mbuf clusters in use" (netstat -m) moderate ?
> Do you get "kern.ipc.nmbclusters limit reached" in messages ?
>
> --
> Cheers, Felix
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Recent wave of abuse on Tor guards

[niftybunny]

Thats “only” “relays” with multiple connections to your relay?
Interesting to see Hetzner there …

Markus


> On 22. Dec 2017, at 16:14, Tyler Johnson  wrote:
> 
> Out off 133 IPs blocked with my rather aggressive firewall ruleset:
> 
> leaseweb.com  - 26
> your-server.de  - 66
> ip-54-36-51.eu  - 17
> 
> That was in < 24hrs.
> 
> On Dec 22, 2017 3:38 AM, "niftybunny"  > wrote:
> Short answer:
> 
> https://i.imgur.com/8QLptcz.png 
> 
> Around 15000 - 18000 connections I can see with netstat. Even my 300 mbit 
> exit has less and there a a lot of Leaseweb clients connecting to me ... 
> The interesting thing is, it comes and goes in waves. From 6000 (normal) to 
> 2 connections within an hour.
> Someone doesn't like me very much :(
> 
> Markus
> 
> 
> 
>> On 22. Dec 2017, at 08:42, Felix > > wrote:
>> 
>> Am 22-Dec-17 um 08:25 schrieb niftybunny:
>>> Still under heavy attack even with the MaxMemInQueues and 0.3.2.8-rc. I
>>> need 2 xeons to push 30 mbit as a guard/middle …
>> 
>> Do you want to share some information:
>> 
>> Type i)
>> (memory exhaustion by too many circuits)
>> What is the memory(top) per tor and its MaxMemInQueues ?
>> How many circuits per hour in log ?
>> 
>> Type ii)
>> (cpu exhaustion by too many 'half open' tor connections)
>> Is your number of open files normal (fw in place) and moderate
>> connection counts per remote IP ?
>> 
>> Type iii)
>> (One fills your server with too many long fat pipes, first ACK and RTT)
>> If on Freebsd, is "mbuf clusters in use" (netstat -m) moderate ?
>> Do you get "kern.ipc.nmbclusters limit reached" in messages ?
>> 
>> -- 
>> Cheers, Felix
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org 
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays 
>> 
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays 
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Recent wave of abuse on Tor guards

[Tyler Johnson]

Every IP I was checking through Atlas which are part of the mentioned hosts
were NOT relays, all client connections.

On Dec 22, 2017 9:20 AM, "niftybunny"  wrote:

> Thats “only” “relays” with multiple connections to your relay?
> Interesting to see Hetzner there …
>
> Markus
>
>
> On 22. Dec 2017, at 16:14, Tyler Johnson  wrote:
>
> Out off 133 IPs blocked with my rather aggressive firewall ruleset:
>
> leaseweb.com - 26
> your-server.de - 66
> ip-54-36-51.eu - 17
>
> That was in < 24hrs.
>
> On Dec 22, 2017 3:38 AM, "niftybunny" 
> wrote:
>
>> Short answer:
>>
>> https://i.imgur.com/8QLptcz.png
>>
>> Around 15000 - 18000 connections I can see with netstat. Even my 300 mbit
>> exit has less and there a a lot of Leaseweb clients connecting to me ...
>> The interesting thing is, it comes and goes in waves. From 6000 (normal)
>> to 2 connections within an hour.
>> Someone doesn't like me very much :(
>>
>> Markus
>>
>>
>>
>> On 22. Dec 2017, at 08:42, Felix  wrote:
>>
>> Am 22-Dec-17 um 08:25 schrieb niftybunny:
>>
>> Still under heavy attack even with the MaxMemInQueues and 0.3.2.8-rc. I
>> need 2 xeons to push 30 mbit as a guard/middle …
>>
>>
>> Do you want to share some information:
>>
>> Type i)
>> (memory exhaustion by too many circuits)
>> What is the memory(top) per tor and its MaxMemInQueues ?
>> How many circuits per hour in log ?
>>
>> Type ii)
>> (cpu exhaustion by too many 'half open' tor connections)
>> Is your number of open files normal (fw in place) and moderate
>> connection counts per remote IP ?
>>
>> Type iii)
>> (One fills your server with too many long fat pipes, first ACK and RTT)
>> If on Freebsd, is "mbuf clusters in use" (netstat -m) moderate ?
>> Do you get "kern.ipc.nmbclusters limit reached" in messages ?
>>
>> --
>> Cheers, Felix
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Recent wave of abuse on Tor guards

[Pascal Terjan]

I got also 17 from ovh (under ip-54-36-51.eu) and plenty of
leaseweb.com (didn't count) too but no  your-server.de

The OVH ones were interestingly 2 (nearby) consecutive blocks of 4 and
13 IPs (and are not relays)


On 22 December 2017 at 15:23, Tyler Johnson  wrote:
> Every IP I was checking through Atlas which are part of the mentioned hosts
> were NOT relays, all client connections.
>
> On Dec 22, 2017 9:20 AM, "niftybunny"  wrote:
>>
>> Thats “only” “relays” with multiple connections to your relay?
>> Interesting to see Hetzner there …
>>
>> Markus
>>
>>
>> On 22. Dec 2017, at 16:14, Tyler Johnson  wrote:
>>
>> Out off 133 IPs blocked with my rather aggressive firewall ruleset:
>>
>> leaseweb.com - 26
>> your-server.de - 66
>> ip-54-36-51.eu - 17
>>
>> That was in < 24hrs.
>>
>> On Dec 22, 2017 3:38 AM, "niftybunny" 
>> wrote:
>>>
>>> Short answer:
>>>
>>> https://i.imgur.com/8QLptcz.png
>>>
>>> Around 15000 - 18000 connections I can see with netstat. Even my 300 mbit
>>> exit has less and there a a lot of Leaseweb clients connecting to me ...
>>> The interesting thing is, it comes and goes in waves. From 6000 (normal)
>>> to 2 connections within an hour.
>>> Someone doesn't like me very much :(
>>>
>>> Markus
>>>
>>>
>>>
>>> On 22. Dec 2017, at 08:42, Felix  wrote:
>>>
>>> Am 22-Dec-17 um 08:25 schrieb niftybunny:
>>>
>>> Still under heavy attack even with the MaxMemInQueues and 0.3.2.8-rc. I
>>> need 2 xeons to push 30 mbit as a guard/middle …
>>>
>>>
>>> Do you want to share some information:
>>>
>>> Type i)
>>> (memory exhaustion by too many circuits)
>>> What is the memory(top) per tor and its MaxMemInQueues ?
>>> How many circuits per hour in log ?
>>>
>>> Type ii)
>>> (cpu exhaustion by too many 'half open' tor connections)
>>> Is your number of open files normal (fw in place) and moderate
>>> connection counts per remote IP ?
>>>
>>> Type iii)
>>> (One fills your server with too many long fat pipes, first ACK and RTT)
>>> If on Freebsd, is "mbuf clusters in use" (netstat -m) moderate ?
>>> Do you get "kern.ipc.nmbclusters limit reached" in messages ?
>>>
>>> --
>>> Cheers, Felix
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>>>
>>>
>>> ___
>>> tor-relays mailing list
>>> tor-relays@lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>>
>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] first impression with 0.3.2.8-rc at a fast exit relay

[Toralf Förster]

On 12/22/2017 03:48 PM, David Goulet wrote:
> Are you on BSD or Linux?

I do run a stable Gentoo hardened Linux with latest kernel (4.14.8 currently) 
and LibreSSL-2.6.4.

OTOH I was informed by my ISP that the server is being under attack currently - 
will observe its behaviour over the next days.

-- 
Toralf
PGP C4EACDDE 0076E94E



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Recent wave of abuse on Tor guards

[Stijn Jonker]

All,

Just adding 0.02c; from the hosts going above 24 connections (my FW 
limit), the ASN's involved seem to focus on:

   5  LEASEWEB-USA-WDC-01 - Leaseweb USA, Inc., US
  18  OVH, FR
  25  LEASEWEB-NL-AMS-01 Netherlands, NL

That's 48 from the 72 IP's exhibiting this behaviour. Whereby the 
leaseweb ones are consecutive IP's.


Careful not to share IP's here :-)

All seen from the perspective of SJC01 / 
328E54981C6DDD7D89B89E418724A4A7881E3192


Stijn

On 22 Dec 2017, at 16:49, Pascal Terjan wrote:


I got also 17 from ovh (under ip-54-36-51.eu) and plenty of
leaseweb.com (didn't count) too but no  your-server.de

The OVH ones were interestingly 2 (nearby) consecutive blocks of 4 and
13 IPs (and are not relays)


On 22 December 2017 at 15:23, Tyler Johnson  
wrote:
Every IP I was checking through Atlas which are part of the mentioned 
hosts

were NOT relays, all client connections.

On Dec 22, 2017 9:20 AM, "niftybunny"  
wrote:


Thats “only” “relays” with multiple connections to your 
relay?

Interesting to see Hetzner there …

Markus


On 22. Dec 2017, at 16:14, Tyler Johnson  
wrote:


Out off 133 IPs blocked with my rather aggressive firewall ruleset:

leaseweb.com - 26
your-server.de - 66
ip-54-36-51.eu - 17

That was in < 24hrs.

On Dec 22, 2017 3:38 AM, "niftybunny" 


wrote:


Short answer:

https://i.imgur.com/8QLptcz.png

Around 15000 - 18000 connections I can see with netstat. Even my 
300 mbit
exit has less and there a a lot of Leaseweb clients connecting to 
me ...
The interesting thing is, it comes and goes in waves. From 6000 
(normal)

to 2 connections within an hour.
Someone doesn't like me very much :(

Markus



On 22. Dec 2017, at 08:42, Felix  wrote:

Am 22-Dec-17 um 08:25 schrieb niftybunny:

Still under heavy attack even with the MaxMemInQueues and 
0.3.2.8-rc. I

need 2 xeons to push 30 mbit as a guard/middle …


Do you want to share some information:

Type i)
(memory exhaustion by too many circuits)
What is the memory(top) per tor and its MaxMemInQueues ?
How many circuits per hour in log ?

Type ii)
(cpu exhaustion by too many 'half open' tor connections)
Is your number of open files normal (fw in place) and moderate
connection counts per remote IP ?

Type iii)
(One fills your server with too many long fat pipes, first ACK and 
RTT)

If on Freebsd, is "mbuf clusters in use" (netstat -m) moderate ?
Do you get "kern.ipc.nmbclusters limit reached" in messages ?

--
Cheers, Felix


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] first impression with 0.3.2.8-rcant a fast exit relay

[Conrad Rockenhaus]

I just brought a 0.3.2.8 relay online at OVH, ConradsOVHRelay, 
A5C6D2EBCCA77D0B09364DD6B75FEC817AF977FA. For some reason Atlas says the 
bandwidth is 0, but I have it set to 625. I guess we’ll see how it does later.

Conrad


> On Dec 22, 2017, at 8:48 AM, David Goulet  wrote:
> 
> On 22 Dec (00:20:38), Toralf Förster wrote:
>> With 0.3.2.7-rc the command
>>  /usr/sbin/iftop -B -i eth0 -P -N -n -m 320M
>> showed every then and when (few times in a hour) for 10-20 sec a traffic 
>> value of nearly 0 bytes for the short-term period (the left of the 3 values).
>> Usuaally I do poberve between 6 and 26 MByte/sec.
>> With the Tor version from today now the outage is about 1-2 sec, but does 
>> still occur.
> 
> Not sure I fully understand here what you mean. For 1 to 2 sec  you see
> 0 bytes of outbound traffic :| ?
> 
> Doing the same on my fast non-Exit relay (~20MB/s) on the latest 0.3.2, I'm
> always capped both ways on the connection.
> 
> This systematic delay really sounds more on the kernel side of things.
> 
> Are you on BSD or Linux?
> 
> Thanks!
> David
> 
>> Not sure, if this is an expected behaviour or a local problem.
>> 
>> -- 
>> Toralf
>> PGP C4EACDDE 0076E94E
>> 
> 
> 
> 
> 
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 
> 
> -- 
> DMdcRweJVXVbzthX2gDiX2OwwF5dP4HgkREJLd+rUJM=
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Become a Fallback Directory Mirror

[Rejo Zenger]

AA0D167E03E298F9A8CD50F448B81FBD7FA80D56


++ 21/12/17 10:50 +1100 - teor:
>Dear Relay Operators,
>
>Do you want your relay to be a Tor fallback directory mirror?
>Will it have the same address and port for the next 2 years?
>Just reply to this email with your relay's fingerprint.
>
>If your relay is on the current list, you don't need to do anything.
>
>If you're asking:
>
>Q: What's a fallback directory mirror?
>
>Fallback directory mirrors help Tor clients connect to the network.
>For more details, see [1].
>
>Q: Is my relay on the current list?
>
>Search [2] and [3] for your relay fingerprint or IP address and port.
>[2] is the current list of fallbacks in Tor.
>[3] is used to create the next list of fallbacks.
>
>Q: What do I need to do if my relay is on the list?
>
>Keep the same IP address, keys, and ports.
>Email tor-relays if the relay's details change.
>
>Q: Can my relay be on the list next time?
>
>We need fast relays that will be on the same IP address and port for 2
>years. Reply to this email to get on the list, or to update the details
>of your relay.
>
>Once or twice a year, we run a script to choose about 150-200 relays
>from the potential list [3] for the list in Tor [2].
>
>Q: Why didn't my relay get on the list last time?
>
>We check a relay's uptime, flags, and speed [4]. Sometimes, a relay might
>be down when we check. That's ok, we will check it again next time.
>
>It's good to have some new relays on the list every release. That helps
>tor clients, because blocking a changing list is harder.
>
>Q: What about the current relay DDoS?
>
>We don't think the DDoS will have much impact on the fallback list.
>
>If your relay is affected, please:
>* make sure it has enough available file descriptors, and
>* set MaxMemInQueues to the amount of RAM you have available per tor
>  instance (or maybe a few hundred MB less).
>
>We're also working on some code changes. See [5] for more details.
>
>[1]: https://trac.torproject.org/projects/tor/wiki/doc/FallbackDirectoryMirrors
>[2]: https://gitweb.torproject.org/tor.git/tree/src/or/fallback_dirs.inc
>[3]: 
>https://gitweb.torproject.org/tor.git/tree/scripts/maint/fallback.whitelist
>[4]: 
>https://trac.torproject.org/projects/tor/attachment/ticket/21564/fallbacks_2017-05-16-0815-09cd78886.log
>[5]: 
>https://lists.torproject.org/pipermail/tor-relays/2017-December/013881.html
>
>--
>Tim / teor
>
>PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
>ricochet:ekmygaiu4rzgsk6n
>
>



>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



-- 
Rejo Zenger
E r...@zenger.nl | P +31(0)639642738 | W https://rejo.zenger.nl
T @rejozenger | J r...@zenger.nl

OpenPGP   1FBF 7B37 6537 68B1 2532  A4CB 0994 0946 21DB EFD4
XMPP OTR  271A 9186 AFBC 8124 18CF  4BE2 E000 E708 F811 5ACF


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Become a Fallback Directory Mirror

[Fabian A. Santiago]

December 20, 2017 6:51 PM, "teor"  wrote:

> Dear Relay Operators,
> 
> Do you want your relay to be a Tor fallback directory mirror?
> Will it have the same address and port for the next 2 years?
> Just reply to this email with your relay's fingerprint.
> 
> If your relay is on the current list, you don't need to do anything.
> 
> If you're asking:
> 
> Q: What's a fallback directory mirror?
> 
> Fallback directory mirrors help Tor clients connect to the network.
> For more details, see [1].
> 
> Q: Is my relay on the current list?
> 
> Search [2] and [3] for your relay fingerprint or IP address and port.
> [2] is the current list of fallbacks in Tor.
> [3] is used to create the next list of fallbacks.
> 
> Q: What do I need to do if my relay is on the list?
> 
> Keep the same IP address, keys, and ports.
> Email tor-relays if the relay's details change.
> 
> Q: Can my relay be on the list next time?
> 
> We need fast relays that will be on the same IP address and port for 2
> years. Reply to this email to get on the list, or to update the details
> of your relay.
> 
> Once or twice a year, we run a script to choose about 150-200 relays
> from the potential list [3] for the list in Tor [2].
> 
> Q: Why didn't my relay get on the list last time?
> 
> We check a relay's uptime, flags, and speed [4]. Sometimes, a relay might
> be down when we check. That's ok, we will check it again next time.
> 
> It's good to have some new relays on the list every release. That helps
> tor clients, because blocking a changing list is harder.
> 
> Q: What about the current relay DDoS?
> 
> We don't think the DDoS will have much impact on the fallback list.
> 
> If your relay is affected, please:
> * make sure it has enough available file descriptors, and
> * set MaxMemInQueues to the amount of RAM you have available per tor
> instance (or maybe a few hundred MB less).
> 
> We're also working on some code changes. See [5] for more details.
> 
> [1]: 
> https://trac.torproject.org/projects/tor/wiki/doc/FallbackDirectoryMirrors
> [2]: https://gitweb.torproject.org/tor.git/tree/src/or/fallback_dirs.inc
> [3]: 
> https://gitweb.torproject.org/tor.git/tree/scripts/maint/fallback.whitelist
> [4]:
> https://trac.torproject.org/projects/tor/attachment/ticket/21564/fallbacks_2017-05-16-0815-09cd78886
> log
> [5]: 
> https://lists.torproject.org/pipermail/tor-relays/2017-December/013881.html
> 
> --
> Tim / teor
> 
> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
> ricochet:ekmygaiu4rzgsk6n
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

well, i intend to keep mine up indefinitely (barring the unforeseen) so why not?

2 relays:

D122094E396DF8BA560843E7B983B0EA649B7DF9
E911A899D51036A5D2A9DE0931A0A1E8DA4C6148

thanks.


--

Thanks,

Fabian S.

OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Recent wave of abuse on Tor guards

[Roger Dingledine]

> On Thu, Dec 21, 2017 at 10:11:47PM +0100, Felix wrote:
> My current thought is that these are actually Tor clients, not intentional
> denial-of-service attacks, but there are millions of them so they are
> producing surprises and damage. (Also, maybe there is not a human behind
> each of the Tor clients, so maybe we shouldn't value them as much as we
> would value more Tor Browser users.)

I've started the process of cranking down the extra circuits that new
clients make:
https://trac.torproject.org/24716

With luck, over the next day or so things will get better. We'll learn
something about the issue either way.

Keep an eye on your "Circuit handshake stats since last time"
notice-level log lines over the next day or two.

(This won't resolve the "way too many connections" issue though. One
step at a time. :)

--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] MaxMemInQueues - per host, or per instance?

[Igor Mitrofanov]

Hi,

Is MaxMemInQueues parameter per-host (global) or per-instance?
Say, there are 10 relays on the same 24 GB host. Should I set
MaxMemInQueues to 20 GB, or 2 GB in each torrc?

Thanks,
Igor
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] MaxMemInQueues - per host, or per instance?

[r1610091651]

It would expect it to be per instance. Instances are independent of each
other. Further one can only run 2 instances max / ip.

On Fri, 22 Dec 2017 at 20:40 Igor Mitrofanov 
wrote:

> Hi,
>
> Is MaxMemInQueues parameter per-host (global) or per-instance?
> Say, there are 10 relays on the same 24 GB host. Should I set
> MaxMemInQueues to 20 GB, or 2 GB in each torrc?
>
> Thanks,
> Igor
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] MaxMemInQueues - per host, or per instance?

[Igor Mitrofanov]

Thanks. I do have the IP space.

It is a pity multiple instances cannot watch the overall RAM
remaining. I have quite a bit of RAM left, but there are large
discrepancies in terms of how much RAM different relays are using (>3
GB for some, <1 GB for others), so it will be tricky to set
MaxMemInQueues without making it too conservative.

On Fri, Dec 22, 2017 at 11:46 AM, r1610091651  wrote:
> It would expect it to be per instance. Instances are independent of each
> other. Further one can only run 2 instances max / ip.
>
> On Fri, 22 Dec 2017 at 20:40 Igor Mitrofanov 
> wrote:
>>
>> Hi,
>>
>> Is MaxMemInQueues parameter per-host (global) or per-instance?
>> Say, there are 10 relays on the same 24 GB host. Should I set
>> MaxMemInQueues to 20 GB, or 2 GB in each torrc?
>>
>> Thanks,
>> Igor
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] MaxMemInQueues - per host, or per instance?

[r1610091651]

I'm wondering if it is necessary to have a lot of ram assigned to queues?
Is there some rule of thumb to determine the proper sizing? Based on number
of circuits maybe?

Do the wise-minds have a guidance on this one?

On Fri, 22 Dec 2017 at 21:08 Igor Mitrofanov 
wrote:

> Thanks. I do have the IP space.
>
> It is a pity multiple instances cannot watch the overall RAM
> remaining. I have quite a bit of RAM left, but there are large
> discrepancies in terms of how much RAM different relays are using (>3
> GB for some, <1 GB for others), so it will be tricky to set
> MaxMemInQueues without making it too conservative.
>
> On Fri, Dec 22, 2017 at 11:46 AM, r1610091651 
> wrote:
> > It would expect it to be per instance. Instances are independent of each
> > other. Further one can only run 2 instances max / ip.
> >
> > On Fri, 22 Dec 2017 at 20:40 Igor Mitrofanov <
> igor.n.mitrofa...@gmail.com>
> > wrote:
> >>
> >> Hi,
> >>
> >> Is MaxMemInQueues parameter per-host (global) or per-instance?
> >> Say, there are 10 relays on the same 24 GB host. Should I set
> >> MaxMemInQueues to 20 GB, or 2 GB in each torrc?
> >>
> >> Thanks,
> >> Igor
> >> ___
> >> tor-relays mailing list
> >> tor-relays@lists.torproject.org
> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >
> >
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Become a Fallback Directory Mirror

[Dennis Emory Hannon]

Tim,

5E56738E7F97AA81DEEF59AF28494293DFBFCCDF





Thanks,

Hostmaster@:

Mr. Dennis Emory Hannon

BackplaneDNS.org / Backplane LLC

 

Phone:

+1 (716) 348-0064  

 

Linkedin:

http://linkedin.com/in/dennis-hannon-52236019/

 

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] warning messages

[Arisbe]

Hello All,

In recent weeks I have noticed some warning messages on several of my 
VPS relays [1], [2].


"20:48:48.000 [warn] Tried to establish rendezvous on non-ORcircuit with 
purpose Acting as rendevous (pending)"


I get these in modest numbers as (97 hidden).  Is this a characteristic of the 
guard relay abuse issue?

Thanks for some advice.

[1]  9B31F1F1C1554F9FFB3455911F82E818EF7C7883
[2]  B06F093A3D4DFAD3E923F4F28A74901BD4F74EB1

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] MaxMemInQueues - per host, or per instance?

[David Goulet]

On 22 Dec (20:37:37), r1610091651 wrote:
> I'm wondering if it is necessary to have a lot of ram assigned to queues?
> Is there some rule of thumb to determine the proper sizing? Based on number
> of circuits maybe?

So there are probably many different answers to this or ways to look at
it but I can speak on how "tor" is built and why it is important to have
this memory limit assigned to queues.

A tor relay gets cells in and most of the time will relay them so send
them outbound. But for every cell that comes in, we need to do some
processing on them that is mostly decryption work.

So we get them, process then put them on a circuit queue. Then tor does
its best to dequeue a "not too big amount of cells" from a circuit and
puts them on the outbound connection buffers which, when the socket is
writable, will be flushed onto the network (write to the socket).

The MaxMemInQueues parameter basically tells the tor OOM handler when it
is time to start cleaning up allocated memories. But here is the catch,
it only handles cells on circuit queues, not connection's buffer (it
actually handles other things but the majority of allocated data is in
cells usually).

For that reason, we are better off for now to keep relays with a sane
value for MaxMemInQueues so the OOM is actually triggered before the
load goes out of control.

If that MaxMemInQueues value is not set in your torrc, tor will pick 3/4
of the total memory of your system. Usually, this is fine for most use
cases but if you machine has 16GB of RAM but only 4GB are available,
problem. So when setting it, it is not that easy to come up with a good
value but a rule of thumb for now is look at how much memory you have
available normally and estimate around it. It is also important to not
go to low, a fast relay limited to 1GB for instance will start to
degrade performance by killing cicuits more often if it sees 20MB/s
(imperically speaking).

I think we could do a better job at estimating it when not set, we could
do a better job with the OOM, we could do lot more but unfortunately for
now, this is the state of thing we need to deal with. We'll be trying to
work on more DoS resistance feature hopefully in the near future.

Hope this help!

Cheers!
David

> 
> Do the wise-minds have a guidance on this one?
> 
> On Fri, 22 Dec 2017 at 21:08 Igor Mitrofanov 
> wrote:
> 
> > Thanks. I do have the IP space.
> >
> > It is a pity multiple instances cannot watch the overall RAM
> > remaining. I have quite a bit of RAM left, but there are large
> > discrepancies in terms of how much RAM different relays are using (>3
> > GB for some, <1 GB for others), so it will be tricky to set
> > MaxMemInQueues without making it too conservative.
> >
> > On Fri, Dec 22, 2017 at 11:46 AM, r1610091651 
> > wrote:
> > > It would expect it to be per instance. Instances are independent of each
> > > other. Further one can only run 2 instances max / ip.
> > >
> > > On Fri, 22 Dec 2017 at 20:40 Igor Mitrofanov <
> > igor.n.mitrofa...@gmail.com>
> > > wrote:
> > >>
> > >> Hi,
> > >>
> > >> Is MaxMemInQueues parameter per-host (global) or per-instance?
> > >> Say, there are 10 relays on the same 24 GB host. Should I set
> > >> MaxMemInQueues to 20 GB, or 2 GB in each torrc?
> > >>
> > >> Thanks,
> > >> Igor
> > >> ___
> > >> tor-relays mailing list
> > >> tor-relays@lists.torproject.org
> > >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> > >
> > >
> > > ___
> > > tor-relays mailing list
> > > tor-relays@lists.torproject.org
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> > >
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >

> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


-- 
tPcuU+9hl1BRjXh3xHhFgg22HULt2edIxY5kAKLBPPA=


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] first impression with 0.3.2.8-rcant a fast exit relay

[teor]

> On 23 Dec 2017, at 03:38, Conrad Rockenhaus  wrote:
> 
> I just brought a 0.3.2.8 relay online at OVH, ConradsOVHRelay, 
> A5C6D2EBCCA77D0B09364DD6B75FEC817AF977FA. For some reason Atlas says the 
> bandwidth is 0, but I have it set to 625. I guess we’ll see how it does later.

The displayed bandwidth is the minimum of a number of different figures.

You can tap or mouseover the bandwidth figure to find out the different
components.

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org






signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] warning messages

[teor]

> On 23 Dec 2017, at 08:08, Arisbe  wrote:
> 
> Hello All,
> 
> In recent weeks I have noticed some warning messages on several of my VPS 
> relays [1], [2].
> 
> "20:48:48.000 [warn] Tried to establish rendezvous on non-ORcircuit with 
> purpose Acting as rendevous (pending)"
> 
> I get these in modest numbers as (97 hidden).  Is this a characteristic of 
> the guard relay abuse issue?
> 
> Thanks for some advice.
> 
> [1]  9B31F1F1C1554F9FFB3455911F82E818EF7C7883
> [2]  B06F093A3D4DFAD3E923F4F28A74901BD4F74EB1

This is a known issue, and there is a ticket for it:

https://trac.torproject.org/projects/tor/ticket/15618

It has been happening for some time, and is unrelated to the current
network load increase.

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org






signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Become a Fallback Directory Mirror

[teor]

> On 23 Dec 2017, at 04:09, Fabian A. Santiago  
> wrote:
> 
> well, i intend to keep mine up indefinitely (barring the unforeseen) so why 
> not?
> 
> 2 relays:
> 
> D122094E396DF8BA560843E7B983B0EA649B7DF9
> E911A899D51036A5D2A9DE0931A0A1E8DA4C6148

Hi,

Fallbacks need a DirPort.
Please let me know when you've configured one.

For details, see:
https://lists.torproject.org/pipermail/tor-relays/2017-December/013927.html

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org






signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Become a Fallback Directory Mirror

[teor]

> On 22 Dec 2017, at 22:19, Aneesh Dogra  wrote:
> 
> Thanks for your reply. I have added my DirPort in torcc as 9030 and restarted 
> my relay. Let me know if you need anything else.

I'm still not seeing a DirPort in Relay Search:
https://atlas.torproject.org/#details/D8972986BE19E0287770DF51C47C630A53DC6E97

Do you have AccountingMax set?
Then your relay can't be a reliable fallback directory mirror.

Otherwise, please copy and paste the DirPort lines in your torrc, and
the messages that Tor logs about your DirPort when it starts up.

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org






signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Become a Fallback Directory Mirror

[Fabian A. Santiago]

On December 22, 2017 5:48:59 PM EST, teor  wrote:
>
>> On 23 Dec 2017, at 04:09, Fabian A. Santiago
> wrote:
>> 
>> well, i intend to keep mine up indefinitely (barring the unforeseen)
>so why not?
>> 
>> 2 relays:
>> 
>> D122094E396DF8BA560843E7B983B0EA649B7DF9
>> E911A899D51036A5D2A9DE0931A0A1E8DA4C6148
>
>Hi,
>
>Fallbacks need a DirPort.
>Please let me know when you've configured one.
>
>For details, see:
>https://lists.torproject.org/pipermail/tor-relays/2017-December/013927.html
>
>T
>
>--
>Tim Wilson-Brown (teor)
>
>teor2345 at gmail dot com
>PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
>ricochet:ekmygaiu4rzgsk6n
>xmpp: teor at torproject dot org
>

Oh I did. But the startup log (journalctl) states since I call AccountingMax in 
torrc, Tor wouldn't publish it. Didn't even consider that. So deal breaker I 
suppose? Will it never publish it with that parameter in place? These are new 
(less than 2 weeks) and I was initially told by the list that it wouldn't get 
published right away until Tor figures out that my Max value won't be 
surpassed. They're both on port 80 in my torrc files.

--

Thanks,

Fabian S.

OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Become a Fallback Directory Mirror

[Fabian A. Santiago]

On December 22, 2017 5:55:16 PM EST, "Fabian A. Santiago" 
 wrote:
>On December 22, 2017 5:48:59 PM EST, teor  wrote:
>>
>>> On 23 Dec 2017, at 04:09, Fabian A. Santiago
>> wrote:
>>> 
>>> well, i intend to keep mine up indefinitely (barring the unforeseen)
>>so why not?
>>> 
>>> 2 relays:
>>> 
>>> D122094E396DF8BA560843E7B983B0EA649B7DF9
>>> E911A899D51036A5D2A9DE0931A0A1E8DA4C6148
>>
>>Hi,
>>
>>Fallbacks need a DirPort.
>>Please let me know when you've configured one.
>>
>>For details, see:
>>https://lists.torproject.org/pipermail/tor-relays/2017-December/013927.html
>>
>>T
>>
>>--
>>Tim Wilson-Brown (teor)
>>
>>teor2345 at gmail dot com
>>PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
>>ricochet:ekmygaiu4rzgsk6n
>>xmpp: teor at torproject dot org
>>
>
>Oh I did. But the startup log (journalctl) states since I call
>AccountingMax in torrc, Tor wouldn't publish it. Didn't even consider
>that. So deal breaker I suppose? Will it never publish it with that
>parameter in place? These are new (less than 2 weeks) and I was
>initially told by the list that it wouldn't get published right away
>until Tor figures out that my Max value won't be surpassed. They're
>both on port 80 in my torrc files.
>
>--
>
>Thanks,
>
>Fabian S.
>
>OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC
>___
>tor-relays mailing list
>tor-relays@lists.torproject.org
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

I just saw another reply of yours answering my question. Then please disregard 
my submittal. Sorry. 

--

Thanks,

Fabian S.

OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] New Relay Online/Working on AWS Cloud Torproject

[nusenu]

> Speaking of which, I do wonder what the thoughts are on this idea. I
> would like to have two derivatives of the cloud package, one for
> novices and one for those who do not consider themselves novices. The
> novice package will be centrally managed by Puppet, so all the user
> has to do is spin up an instance, updates will be handled by the
> master.

So your image will include a puppet master? Or do you intent to run a single 
master
(under your control) to control other people's relays? (I hope you are not 
proposing that.)


> The non-novice package will be managed by chef. My main question is
> what are the thoughts on using Puppet? Would that be an acceptable
> solution for a non-novice solution or is that too much of a risk?



-- 
https://mastodon.social/@nusenu
twitter: @nusenu_



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] MaxMemInQueues - per host, or per instance?

[r1610091651]

So
it will hurt Tor if we have too little buffers -> killing circuits ->
unstable connections
it will hurt Tor if we have too much buffers -> process out of control ->
unstable instance

Would it be possible to guestimate typical circuit buffer size?

One could then estimate value not too big / small based on the number of
circuit running through relay.

If we where to say that a circuit would typically need 128k, one could
estimate the setting for a 5K circuit relay to be ~600MB.

Regards

On Fri, 22 Dec 2017 at 22:55 David Goulet  wrote:

> On 22 Dec (20:37:37), r1610091651 wrote:
> > I'm wondering if it is necessary to have a lot of ram assigned to queues?
> > Is there some rule of thumb to determine the proper sizing? Based on
> number
> > of circuits maybe?
>
> So there are probably many different answers to this or ways to look at
> it but I can speak on how "tor" is built and why it is important to have
> this memory limit assigned to queues.
>
> A tor relay gets cells in and most of the time will relay them so send
> them outbound. But for every cell that comes in, we need to do some
> processing on them that is mostly decryption work.
>
> So we get them, process then put them on a circuit queue. Then tor does
> its best to dequeue a "not too big amount of cells" from a circuit and
> puts them on the outbound connection buffers which, when the socket is
> writable, will be flushed onto the network (write to the socket).
>
> The MaxMemInQueues parameter basically tells the tor OOM handler when it
> is time to start cleaning up allocated memories. But here is the catch,
> it only handles cells on circuit queues, not connection's buffer (it
> actually handles other things but the majority of allocated data is in
> cells usually).
>
> For that reason, we are better off for now to keep relays with a sane
> value for MaxMemInQueues so the OOM is actually triggered before the
> load goes out of control.
>
> If that MaxMemInQueues value is not set in your torrc, tor will pick 3/4
> of the total memory of your system. Usually, this is fine for most use
> cases but if you machine has 16GB of RAM but only 4GB are available,
> problem. So when setting it, it is not that easy to come up with a good
> value but a rule of thumb for now is look at how much memory you have
> available normally and estimate around it. It is also important to not
> go to low, a fast relay limited to 1GB for instance will start to
> degrade performance by killing cicuits more often if it sees 20MB/s
> (imperically speaking).
>
> I think we could do a better job at estimating it when not set, we could
> do a better job with the OOM, we could do lot more but unfortunately for
> now, this is the state of thing we need to deal with. We'll be trying to
> work on more DoS resistance feature hopefully in the near future.
>
> Hope this help!
>
> Cheers!
> David
>
> >
> > Do the wise-minds have a guidance on this one?
> >
> > On Fri, 22 Dec 2017 at 21:08 Igor Mitrofanov <
> igor.n.mitrofa...@gmail.com>
> > wrote:
> >
> > > Thanks. I do have the IP space.
> > >
> > > It is a pity multiple instances cannot watch the overall RAM
> > > remaining. I have quite a bit of RAM left, but there are large
> > > discrepancies in terms of how much RAM different relays are using (>3
> > > GB for some, <1 GB for others), so it will be tricky to set
> > > MaxMemInQueues without making it too conservative.
> > >
> > > On Fri, Dec 22, 2017 at 11:46 AM, r1610091651 
> > > wrote:
> > > > It would expect it to be per instance. Instances are independent of
> each
> > > > other. Further one can only run 2 instances max / ip.
> > > >
> > > > On Fri, 22 Dec 2017 at 20:40 Igor Mitrofanov <
> > > igor.n.mitrofa...@gmail.com>
> > > > wrote:
> > > >>
> > > >> Hi,
> > > >>
> > > >> Is MaxMemInQueues parameter per-host (global) or per-instance?
> > > >> Say, there are 10 relays on the same 24 GB host. Should I set
> > > >> MaxMemInQueues to 20 GB, or 2 GB in each torrc?
> > > >>
> > > >> Thanks,
> > > >> Igor
> > > >> ___
> > > >> tor-relays mailing list
> > > >> tor-relays@lists.torproject.org
> > > >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> > > >
> > > >
> > > > ___
> > > > tor-relays mailing list
> > > > tor-relays@lists.torproject.org
> > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> > > >
> > > ___
> > > tor-relays mailing list
> > > tor-relays@lists.torproject.org
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> > >
>
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> --
> tPcuU+9hl1BRjXh3xHhFgg22HULt2edIxY5kAKLBPPA=
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> 

Re: [tor-relays] MaxMemInQueues - per host, or per instance?

[teor]

> On 23 Dec 2017, at 10:59, r1610091651  wrote:
> 
> So
> it will hurt Tor if we have too little buffers -> killing circuits -> 
> unstable connections
> it will hurt Tor if we have too much buffers -> process out of control -> 
> unstable instance
> 
> Would it be possible to guestimate typical circuit buffer size?

Not really.

> One could then estimate value not too big / small based on the number of 
> circuit running through relay.

The number of circuits varies over time based on client load
and relay capacity.

> If we where to say that a circuit would typically need 128k, one could 
> estimate the setting for a 5K circuit relay to be ~600MB.

On my machines, relays typically use 800 MB, and exits use
about 1 GB. But it varies a lot.

So it's better to tell Tor how much RAM you have available.
Then you can let the network load balancing send the right
amount of client circuits your way.

For example, I have a relay with 32 GB of RAM.
The RAM and CPU usage spike at times, but it's fine :-)

T
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] getrelays

[G Dived]

Neet relays

发送自 Windows 10 版邮件应用

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays