Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[petrarca]

Same here - obviously something happening all over in Tor (timezone is CET):

Nov 02 05:29:24.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:29:25.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:29:29.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:29:36.000 [warn] Possible compression bomb; abandoning stream.

‐‐‐ Original Message ‐‐‐
Am Montag, 2. November 2020 17:59 schrieb Christoph Graf 
:

> Same here on my bridge:
>
> Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream.
> Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream.
>
> Time is UTC+1, nothing before and after
>
> Cheers, Christoph
>
> On 02.11.20 11:05, Guinness wrote:
>
>> Hi all,
>>
>> We are at least 3 users running middle relays from 0.4.4.5 and after having
>> some logs like those :
>> ```
>> Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream.
>> Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream.
>> Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream.
>> Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
>> Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
>> Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
>> Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream.
>> Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.
>> ```
>>
>> I'm wondering if this is an attack or a new feature (haven't checked
>> yet) but I'd like to know how many users are impacted.
>>
>> The interesting informations are :
>>  * Number of warnings
>>  * What kind of relay it is (middle, exit, entry)
>>
>> After your answers, I'll complete the issue I have opened on the bug
>> tracker.
>>
>> Cheers,
>>
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>>
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Abuse received for middle node (part of the curent problem)

[Roger Dingledine]

On Mon, Nov 02, 2020 at 09:53:09PM +0100, Olaf Grimm wrote:
> I have just received two abuse messages from ISP Scaleway Elements for
> two of my middle nodes. Until now I thought this was not possible.
> 
> No problem for me. Only here for your information.

I get periodic abuse complaints to my directory authority, from people
who think I am attacking them, when really what they are seeing is
connections from *their* users to *my* Tor relay.

Their crappy firewall software interprets the "syn ack" from my server
as being an outgoing connection attempt to them, and so they think they
need to complain to my hoster.

See one example that somebody else experienced here:
https://lists.torproject.org/pipermail/tor-relays/2020-May/018450.html

Keep fighting the good fight,
--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Abuse received for middle node (part of the curent problem)

[George]

On 11/2/20 3:53 PM, Olaf Grimm wrote:
> I have just received two abuse messages from ISP Scaleway Elements for
> two of my middle nodes. Until now I thought this was not possible.
> 
> No problem for me. Only here for your information.

This happened to me a while ago, even though there was no exit traffic
from the long-term relay.

Roger mentioned that sometimes the suspicious are confusing ingress and
egress traffic.  Sounds idiotic, but that would speak to the state of
the sysadmin craft today.

I do think it's worth asking them if they're sure it's incoming and not
someone connecting *from* their network.

g
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Abuse received for middle node (part of the curent problem)

[Olaf Grimm]

I have just received two abuse messages from ISP Scaleway Elements for
two of my middle nodes. Until now I thought this was not possible.

No problem for me. Only here for your information.

Olaf


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[Paul Geurts]

same here,

my 4 relays (guards) all had this log entry, with one of them the log
entries are spread over a quarter of an hour (2 tor instances runnnig on
this one):
(this one is on Central European time zone, CET)

Nov  2 05:15:22 : Possible compression bomb; abandoning stream.
Nov  2 05:15:23 : message repeated 2 times: [ Possible compression bomb;
abandoning stream.]
Nov  2 05:16:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:16:21 : Possible compression bomb; abandoning stream.
Nov  2 05:17:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:17:21 : Possible compression bomb; abandoning stream.
Nov  2 05:19:21 : message repeated 5 times: [ Possible compression bomb;
abandoning stream.]
Nov  2 05:19:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:19:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:20:21 : Possible compression bomb; abandoning stream.
Nov  2 05:22:21 : message repeated 4 times: [ Possible compression bomb;
abandoning stream.]
Nov  2 05:22:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:22:21 : Possible compression bomb; abandoning stream.
Nov  2 05:23:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:23:21 : Possible compression bomb; abandoning stream.
Nov  2 05:23:21 : Possible compression bomb; abandoning stream.
Nov  2 05:24:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:24:21 : Possible compression bomb; abandoning stream.
Nov  2 05:24:21 : Possible compression bomb; abandoning stream.
Nov  2 05:25:21 : Possible compression bomb; abandoning stream.
Nov  2 05:26:21 : message repeated 3 times: [ Possible compression bomb;
abandoning stream.]
Nov  2 05:26:21 : Possible zlib bomb; abandoning stream.
Nov  2 05:26:23 : Possible compression bomb; abandoning stream.
Nov  2 05:27:21 : Possible compression bomb; abandoning stream.
Nov  2 05:29:39 : Possible compression bomb; abandoning stream.
Nov  2 05:29:44 : message repeated 3 times: [ Possible compression bomb;
abandoning stream.]




gr. Paul


On Mon, Nov 2, 2020 at 9:28 PM Chris Dagdigian  wrote:

> Same on my US exit relay:
>
> Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream.
> Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream.
>
>
>
>
> Christoph Graf 
> November 2, 2020 at 11:59 AM
>
> Same here on my bridge:
>
> Nov  2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning
> stream.
> Nov  2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning
> stream.
>
> Time is UTC+1, nothing before and after
>
> Cheers, Christoph
> On 02.11.20 11:05, Guinness wrote:
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> Guinness 
> November 2, 2020 at 5:05 AM
> Hi all,
>
> We are at least 3 users running middle relays from 0.4.4.5 and after having
> some logs like those :
> ```
> Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream.
> Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream.
> Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.
> ```
>
> I'm wondering if this is an attack or a new feature (haven't checked
> yet) but I'd like to know how many users are impacted.
>
> The interesting informations are :
> * Number of warnings
> * What kind of relay it is (middle, exit, entry)
>
> After your answers, I'll complete the issue I have opened on the bug
> tracker.
>
>
> Cheers,
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[Chris Dagdigian]

Same on my US exit relay:

Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream.





Christoph Graf 
November 2, 2020 at 11:59 AM

Same here on my bridge:

Nov  2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning 
stream.
Nov  2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning 
stream.


Time is UTC+1, nothing before and after

Cheers, Christoph

On 02.11.20 11:05, Guinness wrote:


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Guinness 
November 2, 2020 at 5:05 AM
Hi all,

We are at least 3 users running middle relays from 0.4.4.5 and after 
having

some logs like those :
```
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.
```

I'm wondering if this is an attack or a new feature (haven't checked
yet) but I'd like to know how many users are impacted.

The interesting informations are :
* Number of warnings
* What kind of relay it is (middle, exit, entry)

After your answers, I'll complete the issue I have opened on the bug
tracker.


Cheers,


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[Christoph Graf]

Same here on my bridge:

Nov  2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream.
Nov  2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream.

Time is UTC+1, nothing before and after

Cheers, Christoph

On 02.11.20 11:05, Guinness wrote:

Hi all,

We are at least 3 users running middle relays from 0.4.4.5 and after having
some logs like those :
```
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.
```

I'm wondering if this is an attack or a new feature (haven't checked
yet) but I'd like to know how many users are impacted.

The interesting informations are :
  * Number of warnings
  * What kind of relay it is (middle, exit, entry)

After your answers, I'll complete the issue I have opened on the bug
tracker.


Cheers,

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] 253 new exits - up and down

[mpan]

> It's even public! See:
> https://lists.torproject.org/pipermail/tor-consensus-health/2020-November/011602.html
> 
> Those nodes triggered an alarm on our side for being a potential sybil
> attack. So, we kicked them out.
  Isn’t there a time correlation with the “Possible compression bomb;
abandoning stream.” warnings operators are reporting today:
?
Perhaps related?



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[trooned]

I see the same warnings on my bridge (uptime since last restart about 3 days) 
as well.

Nov 02 04:52:10.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 04:52:10.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 04:52:10.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 04:53:10.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 04:53:10.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 04:54:10.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 04:54:10.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 04:55:10.000 [warn] Possible compression bomb; abandoning stream.

Regards,
TrooNed___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] 253 new exits - up and down

[Corl3ss]

Hi,

today 253 new exit nodes joined the network :
https://onionoo.torproject.org/summary?search=apokaliz

It was active for 12 hours and then down.
It is enough odd to report it here.

If you have any information about it, it will be a pleasure to read it.

Corl3ss
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[mpan]

  A similar observation on a middle+guard (times in UTC). Nothing since
then, no other issues observed:
--
Nov 02 04:11:12: Possible compression bomb; abandoning stream.
Nov 02 04:12:09: Possible zlib bomb; abandoning stream.
Nov 02 04:12:10: Possible compression bomb; abandoning stream.
Nov 02 04:12:10: Possible compression bomb; abandoning stream.
Nov 02 04:12:18: Possible compression bomb; abandoning stream.
Nov 02 04:13:09: Possible compression bomb; abandoning stream.
Nov 02 04:13:10: Possible compression bomb; abandoning stream.
--




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[mick]

On Mon, 2 Nov 2020 11:05:43 +0100
Guinness  allegedly wrote:

> I'm wondering if this is an attack or a new feature (haven't checked
> yet) but I'd like to know how many users are impacted.
> 
> The interesting informations are :
>  * Number of warnings
>  * What kind of relay it is (middle, exit, entry)
> 
> After your answers, I'll complete the issue I have opened on the bug
> tracker.

Hi Guinness

I have the following two entries in the log for my guard relay at
https://metrics.torproject.org/rs.html#details/AE4FAE2EB5DC5D078458F0FCBF2B37F5D73F0868

Nov 02 04:30:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 04:30:01.000 [warn] Possible compression bomb; abandoning stream.

Time is GMT.

Cheers

Mick

-
 Mick Morgan
 gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312
 https://baldric.net/about-trivia
-

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[Sven Schmeling]

Hello,

same here on my middle relay running 0.4.4.5:

...
Nov 02 05:20:48.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:20:48.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:20:48.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:21:49.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:21:49.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 05:22:48.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:22:49.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:22:49.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 05:23:49.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 05:23:49.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 05:23:49.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:23:49.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:23:49.000 [warn] Possible compression bomb; abandoning stream.


Regards

Am 02.11.20 um 11:05 schrieb Guinness:

Hi all,

We are at least 3 users running middle relays from 0.4.4.5 and after having
some logs like those :
```
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.
```

I'm wondering if this is an attack or a new feature (haven't checked
yet) but I'd like to know how many users are impacted.

The interesting informations are :
  * Number of warnings
  * What kind of relay it is (middle, exit, entry)

After your answers, I'll complete the issue I have opened on the bug
tracker.


Cheers,


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays




___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[Valters Jansons]

Hi Guinness,

On Mon, Nov 2, 2020 at 12:31 PM Guinness  wrote:
> I'm wondering if this is an attack or a new feature (haven't checked
> yet) but I'd like to know how many users are impacted.
>
> The interesting informations are :
>  * Number of warnings
>  * What kind of relay it is (middle, exit, entry)

Small middle relay here, 7 warnings roughly an hour earlier than your
timestamps (after 04:30) on November 2.
Nothing since then, nothing apparently after that.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Log warning : possible (zlib) compression bomb on middle relays

[Guinness]

Hi all,

We are at least 3 users running middle relays from 0.4.4.5 and after having
some logs like those :
```
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream.
Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream.
Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.
```

I'm wondering if this is an attack or a new feature (haven't checked
yet) but I'd like to know how many users are impacted.

The interesting informations are :
 * Number of warnings
 * What kind of relay it is (middle, exit, entry)

After your answers, I'll complete the issue I have opened on the bug
tracker.


Cheers,
-- 
Guinness


signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays