subject:"\[tor\-relays\] anyone else with this issue\?"

Re: [tor-relays] anyone else with this issue?

2020-08-31 Thread The Doctor [412/724/301/703/415/510]

‐‐‐ Original Message ‐‐‐
On Tuesday, August 25, 2020 2:47 PM, niftybunny 
 wrote:

> I got 47 Abuse-Emails while being DDOSed today. Thats in my normal range. 
> Normally when there is
> a bigger bot net scanning port 22 etc I will get over 1000+ abuse mails a 
> day. Could be they are
> scanning ranges that doesn't produce abuse mails or they do something 
> otherwise fishy. No clue
> right now. With over 1 million extra sockets alone on my servers I am sure 
> he/she/it has some
> beefy hardware.

I think I'm getting hit, too.  I can't SSH into Parker anymore, even after a 
hard reboot.  I can still communicate with Systembot normally, though.  He 
might be out of available network sockets for sshd to respond to connection 
attempts.  I'm considering blowing away the node and building a new one.

I seem to recall something about an attacker DDoSing individual Tor nodes to 
help isolate where a given hidden service is running.  Could this be a 
manifestation of that attack?

The Doctor [412/724/301/703/415/510]
WWW: https://drwho.virtadpt.net/
The old world is dying, and the new world struggles to be born. Now is the time 
of monsters.

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] anyone else with this issue?

2020-08-26 Thread Graeme Neilson

Also banks and financial institutions in New Zealand are being targeted.

On Wed, 26 Aug 2020 at 20:32, Amadeus Ramazotti <
cryptoquantumham...@gmail.com> wrote:

>
> as far as I know many darknet markets are being targeted with massive ddos
> attacks. For example empire (biggest market as of recently) went down on
> August 22.
>
> Not sure if those issues are connected since the DN market ddos
> racketeering is more or less a permanent feature.
>
> greets
>
>
>
> On Aug 25, 2020, at 8:43 PM, niftybunny <
> abuse-cont...@to-surf-and-protect.net> wrote:
>
> Daily DDOS love the last 14 days …
>
> https://imgur.com/a/rfu0OUA 
>
> even for my standards, thats a shit-ton of sockets … Tor DDOS protection
> is configured but I get more connections than I can drop …
>
> nifty
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] anyone else with this issue?

2020-08-26 Thread Amadeus Ramazotti

as far as I know many darknet markets are being targeted with massive ddos 
attacks. For example empire (biggest market as of recently) went down on August 
22. 

Not sure if those issues are connected since the DN market ddos racketeering is 
more or less a permanent feature.

greets

> On Aug 25, 2020, at 8:43 PM, niftybunny 
>  wrote:
> 
> Daily DDOS love the last 14 days …
> 
> https://imgur.com/a/rfu0OUA
> 
> even for my standards, thats a shit-ton of sockets … Tor DDOS protection is 
> configured but I get more connections than I can drop …
> 
> nifty
> 
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] anyone else with this issue?

2020-08-25 Thread niftybunny

I got 47 Abuse-Emails while being DDOSed today. Thats in my normal range. 
Normally when there is a bigger bot net scanning port 22 etc I will get over 
1000+ abuse mails a day. Could be they are scanning ranges that doesn't produce 
abuse mails or they do something otherwise fishy. No clue right now. With over 
1 million extra sockets alone on my servers I am sure he/she/it has some beefy 
hardware.

nifty



> On 25. Aug 2020, at 21:52, Toralf Förster  wrote:
> 
> On 8/25/20 9:20 PM, Roger Dingledine wrote:
>> Also, if more people than just Nifty and John are seeing them.
> I got an abuse record from Hetzner for my relay (no Exit flag, but 2 dozen 
> ports opened) at 8/18/20, 4:31 PM +0200 with a content like:
> 
> irection OUT
> Internal 5.9.158.75
> Threshold Packets  packets/s
> Sum 108.286.000 packets/300s (360.953 packets/s), 53.442 flows/300s (178 
> flows/s), 4,120 GByte/300s (112 MBit/s)
> ...
> 
> I had to temporary completly switch off "ExitRelay 1" to "ExitRelay 0" to 
> avoid a server block by the hoster.
> 
> At the next day I re-opened one half of the exit ports (only DNS Jabber and 
> IRC, no BitCoin et al) and did not experience any further abuse reports since 
> then.
> 
> --
> Toralf
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] anyone else with this issue?

2020-08-25 Thread Toralf Förster

On 8/25/20 9:20 PM, Roger Dingledine wrote:
> Also, if more people than just Nifty and John are seeing them.
I got an abuse record from Hetzner for my relay (no Exit flag, but 2 dozen 
ports opened) at 8/18/20, 4:31 PM +0200 with a content like:

irection OUT
Internal 5.9.158.75
Threshold Packets  packets/s
Sum 108.286.000 packets/300s (360.953 packets/s), 53.442 flows/300s (178 
flows/s), 4,120 GByte/300s (112 MBit/s)
...

I had to temporary completly switch off "ExitRelay 1" to "ExitRelay 0" to avoid 
a server block by the hoster.

At the next day I re-opened one half of the exit ports (only DNS Jabber and 
IRC, no BitCoin et al) and did not experience any further abuse reports since 
then.

--
Toralf
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] anyone else with this issue?

2020-08-25 Thread niftybunny

No clue what they are doing, but they max out the Exist with 100% CPU load and 
do not transport a lot of traffic:

https://imgur.com/a/NzpE69B 

Around 16-21 there should be more traffic and this was DDOS time.

I am 100% sure its not bogus traffic just send to my IPs to max out my uplinks, 
because:

https://www.peeringdb.com/net/22652 

you need at least 120 gigabit to kill my uplinks.

I love dull, I love dull so much. I want to marry dull.

nifty



> On 25. Aug 2020, at 21:20, Roger Dingledine  wrote:
> 
> On Tue, Aug 25, 2020 at 06:49:01PM +, John Ricketts wrote:
>> I as well.
>> 
>> On Aug 25, 2020, at 13:45, niftybunny 
>>  wrote:
>> 
>> ?Daily DDOS love the last 14 days ...
> 
> Hi! Can you provide more details? From Nifty's picture it looks like
> they are full TCP connections? Do you have a sense of what do they do
> when they connect?
> 
> And that would mean that they *aren't* packet-level ddoses, i.e. the
> "I fill up your network connection with packets so no other packets can
> get through" kind?
> 
> One of the strange things about working with things at the scale of the
> Tor network is that sometimes the combined behavior of many Tor processes
> can look like a DDoS. For example, maybe all of these connections come
> from out-of-date Tors that are now behaving bizarrely since the network
> now doesn't work the way their old logic expects.
> 
> We've also seen what looks like DDoS attempts on the directory
> authorities, but on closer examination they are some alternative Tor
> implementation that is running on many thousands of computers and is
> fetching Tor consensus documents in a way that isn't sustainable:
> https://gitlab.torproject.org/tpo/core/tor/-/issues/33018
> 
> There are also apparently some overloading attacks happening on some
> popular onion services currently, and I wonder if those are bleeding
> over into looking like many connections. Or, as we saw a few years ago
> when we added the "ddos defense subsystem" in Tor, the attacks didn't
> actually add much load, but it was when the onion services tried to scale
> up to tens of thousands of Tors, to be able to respond to every incoming
> rendezvous attempt, that those tens of thousands of Tors together looked
> like an attack on the network.
> 
> So: the next step would be to try to learn more about what these
> connections look like, where they're coming from, what they're doing, etc.
> 
> Also, if more people than just Nifty and John are seeing them.
> 
> Never a dull moment,
> --Roger
> 
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] anyone else with this issue?

2020-08-25 Thread niftybunny

Okay, I am not alone. ♥️

Grab yourself a club sandwich and a Dr Pepper while we are waiting for the DDOS 
to end.

nifty



> On 25. Aug 2020, at 20:49, John Ricketts  wrote:
> 
> I as well.
> 
>> On Aug 25, 2020, at 13:45, niftybunny 
>>  wrote:
>> 
>> Daily DDOS love the last 14 days …
>> 
>> https://imgur.com/a/rfu0OUA 
>> 
>> even for my standards, thats a shit-ton of sockets … Tor DDOS protection is 
>> configured but I get more connections than I can drop …
>> 
>> nifty
>> 
>> 
>> ___
>> tor-relays mailing list
>> tor-relays@lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] anyone else with this issue?

2020-08-25 Thread Roger Dingledine

On Tue, Aug 25, 2020 at 06:49:01PM +, John Ricketts wrote:
> I as well.
> 
> On Aug 25, 2020, at 13:45, niftybunny  
> wrote:
> 
> ?Daily DDOS love the last 14 days ...

Hi! Can you provide more details? From Nifty's picture it looks like
they are full TCP connections? Do you have a sense of what do they do
when they connect?

And that would mean that they *aren't* packet-level ddoses, i.e. the
"I fill up your network connection with packets so no other packets can
get through" kind?

One of the strange things about working with things at the scale of the
Tor network is that sometimes the combined behavior of many Tor processes
can look like a DDoS. For example, maybe all of these connections come
from out-of-date Tors that are now behaving bizarrely since the network
now doesn't work the way their old logic expects.

We've also seen what looks like DDoS attempts on the directory
authorities, but on closer examination they are some alternative Tor
implementation that is running on many thousands of computers and is
fetching Tor consensus documents in a way that isn't sustainable:
https://gitlab.torproject.org/tpo/core/tor/-/issues/33018

There are also apparently some overloading attacks happening on some
popular onion services currently, and I wonder if those are bleeding
over into looking like many connections. Or, as we saw a few years ago
when we added the "ddos defense subsystem" in Tor, the attacks didn't
actually add much load, but it was when the onion services tried to scale
up to tens of thousands of Tors, to be able to respond to every incoming
rendezvous attempt, that those tens of thousands of Tors together looked
like an attack on the network.

So: the next step would be to try to learn more about what these
connections look like, where they're coming from, what they're doing, etc.

Also, if more people than just Nifty and John are seeing them.

Never a dull moment,
--Roger

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] anyone else with this issue?

2020-08-25 Thread John Ricketts

I as well.

On Aug 25, 2020, at 13:45, niftybunny  
wrote:

?Daily DDOS love the last 14 days ...

https://imgur.com/a/rfu0OUA

even for my standards, thats a shit-ton of sockets ... Tor DDOS protection is 
configured but I get more connections than I can drop ...

nifty


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] anyone else with this issue?

2020-08-25 Thread niftybunny

Daily DDOS love the last 14 days …

https://imgur.com/a/rfu0OUA 

even for my standards, thats a shit-ton of sockets … Tor DDOS protection is 
configured but I get more connections than I can drop …

nifty




signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] anyone else with this issue?

Re: [tor-relays] anyone else with this issue?

Re: [tor-relays] anyone else with this issue?

Re: [tor-relays] anyone else with this issue?

Re: [tor-relays] anyone else with this issue?

Re: [tor-relays] anyone else with this issue?

Re: [tor-relays] anyone else with this issue?

Re: [tor-relays] anyone else with this issue?

Re: [tor-relays] anyone else with this issue?

[tor-relays] anyone else with this issue?

10 matches

Site Navigation

Mail list logo

Footer information