Re: [tor-relays] DDOS alerts from my provider

2024-07-14 Thread Toralf Förster via tor-relays 

On 7/12/24 00:14, boldsuck wrote:

The idea is not bad. But can you simply discard every ≤ 50byte packet?


Probably not


I drop fragments and uncommon TCP MSS values.
ip frag-off & 0x1fff != 0 counter drop


IIUC then using conntrack via iptables means that this filter cannot be
implemented, right?


tcp flags syn tcp option maxseg size 1-536 counter drop


Is 536 == 514 + 22 (Tor packet size + ip header) ? It is my
understanding that Tor send out TCP/IP small packets beside the 514
bytes sized.

--
Toralf

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

2024-07-12 Thread boldsuck 
On Freitag, 12. Juli 2024 10:12:09 CEST Toralf Förster via tor-relays wrote:

> I prefer sysctl:

Me too, but sysctl needs root privileges.
On new systems I always generate an overview of all active settings:
sysctl -a > /home/user/sysctl.txt

And especially with used servers, before I start setting them up, save the 
output of skdump or smartctl.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

2024-07-12 Thread Toralf Förster via tor-relays 

On 7/11/24 22:51, boldsuck wrote:

cat /proc/sys/net/ipv4/tcp_syncookies
cat /proc/sys/net/ipv4/tcp_tcp_timestamps


I prefer sysctl:

$ sysctl net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 1

$ sysctl net.ipv4.tcp_timestamps
net.ipv4.tcp_timestamps = 1

--
Toralf

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

2024-07-11 Thread boldsuck 
On Mittwoch, 10. Juli 2024 18:34:26 CEST Toralf Förster via tor-relays wrote:

> > https://www.petsymposium.org/foci/2024/foci-2024-0014.php
Very interesting, thanks.

> After reading that paper I do wonder if a firewall rule would work which
> drops network packets with destination to the ORport if those packets
> are shorter than a given length?

The idea is not bad. But can you simply discard every ≤ 50byte packet?

I drop fragments and uncommon TCP MSS values.
ip frag-off & 0x1fff != 0 counter drop
tcp flags syn tcp option maxseg size 1-536 counter drop


By the way, I actually wanted to write it as a Github issue.
You have to adjust your Dir-auth IP's in iptables.
IP of dizum has changed and faravahar is back ;-)

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

2024-07-11 Thread boldsuck 
On Donnerstag, 11. Juli 2024 09:38:34 CEST Scott Bennett via tor-relays wrote:

> My understanding is that LINUX systems do not have pf, but rather have
> a less flexible filter called iptables.  Whether iptables or any other
> packet filter that may be available on LINUX systems has synproxy or a
> similar feature I do not know

Not as nice as in *BSD's pf but a bit easier in nftables than in iptables.
Can be activated in prerouting:
https://wiki.nftables.org/wiki-nftables/index.php/Synproxy

tcp syncookies & timestamps have been enabled by default for years,
you can check it:
cat /proc/sys/net/ipv4/tcp_syncookies
cat /proc/sys/net/ipv4/tcp_tcp_timestamps

In general, you should be careful with sysctl kernel parameters. If you do 
change them, only change individual settings and read and understand what they 
mean. If so, it is always good to look specifically for your network driver and 
DoS. With a 1G network connection, there is little to improve. In the 
cloudflare blog you will find a lot of in-depth expert knowledge about DoS.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

2024-07-11 Thread Scott Bennett via tor-relays 
"Rafo \(r4fo.com\) via tor-relays"  wrote:

> More specifically, I?m running a middle relay on Debian 12
>  On Tue, 09 Jul 2024 13:46:51 +0200  
> li...@for-privacy.net wrote  On Montag, 8. Juli 
> 2024 19:34:51 CEST Rafo (r4fo.com) via tor-relays wrote: > But this week I?ve 
> received 2 DDoS alerts from my provider > (Netcup), both are ~3 gigabits. 
> They seem to be coming from other Tor > relays.I?m running an Invidious like 
> instance on my server (which uses > around 600 megabits) but I have a 2.5 
> gigabit port. So I configured my Tor > relay to use 300-400 megabits.I?m not 
> sure where that 3 gigabit of data > comes from.I have lowered my advertised 
> bandwidth to 100 megabits, would > that be enough to prevent these kind of 
> issues?Kind regards,Rafo  Reducing the advertised bandwidth does not help. 
> ;-) In general, one tor  instance will rarely reach 100 megabits.  There is 
> little you can do on the server against targeted DDoS. But you can  stop IPs 
> with a lot of connections to your tor daemon us
 ing dynamic exit  police? or dyn. IP/nftable rules?. For targeted help, you 
should specify the  type of relay you have and your OS.  
https://gitlab.torproject.org/tpo/community/support/-/issues/40093  
?https://github.com/artikel10/surgeprotector  
?https://forum.torproject.org/t/is-tor-network-resistant-to-tcp-syn-flood-dos-attacks-from-outside-of-tor/12690/4
  --  ?_? Ciao Marco!  Debian GNU/Linux  It's free software and it gives you 
freedom!___ tor-relays mailing list 
tor-relays@lists.torproject.org 
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays  
> 
 Depending upon the features of the packet filter(s) available to you on
your operating system, there may be one or more options that can help defend
your relay.  For example, all of the main FOSS *BSD systems today have some
version of the pf packet filter subsystem available as well as others.  One
option available in pf for TCP is synproxy.  This excerpt from the pf.conf(5)
man page in FreeBSD tells how it works.

   ---
SYN PROXY

 By default, pf(4) passes packets that are part of a tcp(4) handshake
 between the endpoints.  The synproxy state option can be used to cause
 pf(4) itself to complete the handshake with the active endpoint, perform
 a handshake with the passive endpoint, and then forward packets between
 the endpoints.

 No packets are sent to the passive endpoint before the active endpoint
 has completed the handshake, hence so-called SYN floods with spoofed
 source addresses will not reach the passive endpoint, as the sender can't
 complete the handshake.

 The proxy is transparent to both endpoints, they each see a single
 connection from/to the other endpoint.  pf(4) chooses random initial
 sequence numbers for both handshakes.  Once the handshakes are completed,
 the sequence number modulators (see previous section) are used to
 translate further packets of the connection.  synproxy state includes
 modulate state.

 Rules with synproxy will not work if pf(4) operates on a bridge(4).
   
 Example:   

   pass in proto tcp from any to any port www synproxy state

   ---

 My understanding is that LINUX systems do not have pf, but rather have a
less flexible filter called iptables.  Whether iptables or any other packet
filter that may be available on LINUX systems has synproxy or a similar feature
I do not know, but I'm posting this to make novice *BSD users who run tor
relays aware of it.  IMHO, synproxy or its equivalents in other filters (if
they exist) should always be applied to filter rules for at least the ports
that tor listens on and are exposed to the outside world (e.g., ORPort and
DirPort).
 Of course, although synproxy helps defend a tor relay (or a web server or
data base or whatever), it doesn't stop what arrives at your ISP from outside.


  Scott Bennett, Comm. ASMELG, CFIAG
**
* Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
**
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."   *
*-- Gov. John Hancock, New York Journal, 28 January 1790 *
**

Re: [tor-relays] DDOS alerts from my provider

2024-07-10 Thread Toralf Förster via tor-relays 

On 7/9/24 19:03, David Fifield wrote:

"A case study on DDoS attacks against Tor relays"
Tobias Höller, René Mairhofer
https://www.petsymposium.org/foci/2024/foci-2024-0014.php


After reading that paper I do wonder if a firewall rule would work which
drops network packets with destination to the ORport if those packets
are shorter than a given length?

--
Toralf



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

2024-07-09 Thread boldsuck 
On Dienstag, 9. Juli 2024 14:04:49 CEST Rafo (r4fo.com) via tor-relays wrote:
> More specifically, I’m running a middle relay on Debian 12   

Here again the Github's of toralf & Enkidu from the above mentioned forum link. 
They have iptables:
https://github.com/toralf/torutils
https://github.com/Enkidu-6/tor-ddos

I just do it with nftables.
https://github.com/boldsuck/tor-relay-bootstrap/blob/nft/etc/nftables.conf_ddos

Be sure to adjust the SSH IP sets otherwise you will log out!
I have all Dyn-IP subnets from the providers from which I connect via SSH.
You can search for example on: https://bgp.tools/ or https://bgpview.io

Apart from SSH, only Tor is running and I don't have a 'table inet filter'.
If you need them, they are also on my Github.

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

2024-07-09 Thread David Fifield 
I haven't read it yet, but there's a short paper at FOCI this year
analyzing a case study of a DDoS attack on relays operated by the
authors.

"A case study on DDoS attacks against Tor relays"
Tobias Höller, René Mairhofer
https://www.petsymposium.org/foci/2024/foci-2024-0014.php

On Mon, Jul 08, 2024 at 07:34:51PM +0200, Rafo (r4fo.com) via tor-relays wrote:
> I have been running a relay for a few months now without any problems. But 
> this
> week I’ve received 2 DDoS alerts from my provider (Netcup), both are ~3
> gigabits. They seem to be coming from other Tor relays.
> I’m running an Invidious like instance on my server (which uses around 600
> megabits) but I have a 2.5 gigabit port. So I configured my Tor relay to use
> 300-400 megabits.
> I’m not sure where that 3 gigabit of data comes from.
> I have lowered my advertised bandwidth to 100 megabits, would that be enough 
> to
> prevent these kind of issues?
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

2024-07-09 Thread Rafo (r4fo.com) via tor-relays 




More specifically, I’m running a middle relay on Debian 12 
On Tue, 09 Jul 2024 13:46:51 +0200  
li...@for-privacy.net wrote  On Montag, 8. Juli 2024 
19:34:51 CEST Rafo (r4fo.com) via tor-relays wrote: > But this week I’ve 
received 2 DDoS alerts from my provider > (Netcup), both are ~3 gigabits. They 
seem to be coming from other Tor > relays.I’m running an Invidious like 
instance on my server (which uses > around 600 megabits) but I have a 2.5 
gigabit port. So I configured my Tor > relay to use 300-400 megabits.I’m not 
sure where that 3 gigabit of data > comes from.I have lowered my advertised 
bandwidth to 100 megabits, would > that be enough to prevent these kind of 
issues?Kind regards,Rafo  Reducing the advertised bandwidth does not help. ;-) 
In general, one tor  instance will rarely reach 100 megabits.  There is little 
you can do on the server against targeted DDoS. But you can  stop IPs with a 
lot of connections to your tor daemon using dynamic exit  police¹ or dyn. 
IP/nftable rules². For targeted help, you should specify the  type of relay you 
have and your OS.  
https://gitlab.torproject.org/tpo/community/support/-/issues/40093  
¹https://github.com/artikel10/surgeprotector  
²https://forum.torproject.org/t/is-tor-network-resistant-to-tcp-syn-flood-dos-attacks-from-outside-of-tor/12690/4
  --  ╰_╯ Ciao Marco!  Debian GNU/Linux  It's free software and it gives you 
freedom!___ tor-relays mailing list 
tor-relays@lists.torproject.org 
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays  






___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS alerts from my provider

2024-07-09 Thread lists 
On Montag, 8. Juli 2024 19:34:51 CEST Rafo (r4fo.com) via tor-relays wrote:
> But this week I’ve received 2 DDoS alerts from my provider
> (Netcup), both are ~3 gigabits. They seem to be coming from other Tor
> relays.I’m running an Invidious like instance on my server (which uses
> around 600 megabits) but I have a 2.5 gigabit port. So I configured my Tor
> relay to use 300-400 megabits.I’m not sure where that 3 gigabit of data
> comes from.I have lowered my advertised bandwidth to 100 megabits, would
> that be enough to prevent these kind of issues?Kind regards,Rafo

Reducing the advertised bandwidth does not help. ;-) In general, one tor 
instance will rarely reach 100 megabits.

There is little you can do on the server against targeted DDoS. But you can 
stop IPs with a lot of connections to your tor daemon using dynamic exit 
police¹ or dyn. IP/nftable rules². For targeted help, you should specify the 
type of relay you have and your OS.

https://gitlab.torproject.org/tpo/community/support/-/issues/40093

¹https://github.com/artikel10/surgeprotector

²https://forum.torproject.org/t/is-tor-network-resistant-to-tcp-syn-flood-dos-attacks-from-outside-of-tor/12690/4

-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

signature.asc
Description: This is a digitally signed message part.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-15 Thread Petrusko 

  
  
Now trying the TCP plugin in Munin...
It looks like useful to watch later/archive on a graph all TCP
connections.
Not 100% logging those attacks, but if those bad guys are using TCP
I think it will be shown here...
Here an example on my relay, graph activated ~24h ago :




Le 14/06/2016 à 14:59, Petrusko a
  écrit :


  Hey,

Little noob question inside :)
If possible to learn quickly how to detect a DDOS attack ?

I got Munin running behind, can it be useful with the "netstat" and
"firewall throughput" plugins graphs to see it ?
So if the server is attacked, I think it will show some big spikes in
those graphs...?

Thx ;)

ps: I'll try to find some things about this subject, np!



Le 14/06/2016 07:03, Markus Koch a écrit :

  
4 of my 5 tor servers are under a incoming DDOS attack. Am I the only
one or is anyone else feeling the "love"?

Markus
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

  
  
  
  
  ___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



-- 
Petrusko
PubKey EBE23AE5
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
  



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-15 Thread NotRandom Someone 
DDOS attack mostly everyday, ssh login attempts every hour...
What a fantastic love !!

The attackers are from ... China :-)
Le 14 juin 2016 14:31, "Toralf Förster"  a écrit :

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 06/14/2016 07:03 AM, Markus Koch wrote:
> > 4 of my 5 tor servers are under a incoming DDOS attack. Am I the only
> > one or is anyone else feeling the "love"?
> >
> attacks with about 100 MBit/sec over a minute or so happen here nearly
> daily, attacks > 500 MBit/sec over half an hour or so once a year.
>
> - --
> Toralf
> PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iF4EAREIAAYFAldf+QYACgkQxOrN3gB26U68+AD+Miew4zaXkkTwZW8gDifdpV7t
> SGza2oufZ73ZnqwFekcA/0hVIo0zGG91f9OsKxzjW7IOZHqRagI4d2aT9M43Bhlo
> =Xhwi
> -END PGP SIGNATURE-
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Petrusko 
Thx all for those useful tools,
time to try some ;)

About the main subject, nothing about DDOS on my node...
(no mails, no spikes on my graphs)

Thx


Le 14/06/2016 à 19:49, Steven Jones a écrit :
> iftop might be better to see
>
> On Tue, Jun 14, 2016 at 8:59 AM, Petrusko  > wrote:
>
> Hey,
>
> Little noob question inside :)
> If possible to learn quickly how to detect a DDOS attack ?
>
> I got Munin running behind, can it be useful with the "netstat" and
> "firewall throughput" plugins graphs to see it ?
> So if the server is attacked, I think it will show some big spikes in
> those graphs...?
>
> Thx ;)
>
> ps: I'll try to find some things about this subject, np!
>
>
>
> Le 14/06/2016 07:03, Markus Koch a écrit :
> > 4 of my 5 tor servers are under a incoming DDOS attack. Am I the
> only
> > one or is anyone else feeling the "love"?
> >
> > Markus
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> 
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> --
> Petrusko
> PubKey EBE23AE5
> C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> 
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
Petrusko
PubKey EBE23AE5
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Steven Jones 
iftop might be better to see

On Tue, Jun 14, 2016 at 8:59 AM, Petrusko  wrote:

> Hey,
>
> Little noob question inside :)
> If possible to learn quickly how to detect a DDOS attack ?
>
> I got Munin running behind, can it be useful with the "netstat" and
> "firewall throughput" plugins graphs to see it ?
> So if the server is attacked, I think it will show some big spikes in
> those graphs...?
>
> Thx ;)
>
> ps: I'll try to find some things about this subject, np!
>
>
>
> Le 14/06/2016 07:03, Markus Koch a écrit :
> > 4 of my 5 tor servers are under a incoming DDOS attack. Am I the only
> > one or is anyone else feeling the "love"?
> >
> > Markus
> > ___
> > tor-relays mailing list
> > tor-relays@lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> --
> Petrusko
> PubKey EBE23AE5
> C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
>
>
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Green Dream 
I have relays on Digital Ocean as well, and occasionally get the same
emails. Notice the contradiction in the email:

"Once the attack subsides, networking will be automatically
reestablished to your droplet. The networking restriction is in place
for three hours and then removed."

Which one is it? Do you automatically reconnect my node when the attack
subsides, or do you just wait three hours? (It's always the latter.)

"Please note that we take this measure only as a last resort when other
filtering, routing, and network configuration changes have not been
effective in routing around the DDoS attack."

That seems to be disingenuous as well. They have never, ever done anything
other than shut of my node for 3 hours. Requests for more information about
the nature of the attack go unanswered.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Roman Mamedov 
On Tue, 14 Jun 2016 15:39:30 +0200
Markus Koch  wrote:

> Or you get e-mails ...

Getting these once every few days. However I'm almost certain the issue is just
a misdetection by them of some pattern from the regular operation of a Tor
relay (for example the large amount of open connections, possibly to unusual
ports) as a DDoS.


OVH 2 rue Kellermann 59100 Roubaix
Technical support:  08.99.49.87.65 (€1.349/call + €0.337/min)
Commercial support: 08.20.69.87.65 (€0.118/min)
Fax: 03.20.20.09.58
supp...@ovh.com

   
Dear Customer,

We have just detected an attack on IP address [...].

In order to protect your infrastructure, we vacuumed up your traffic onto our 
mitigation infrastructure.

The entire attack will thus be filtered by our infrastructure, and only 
legitimate traffic will reach your servers.


At the end of the attack, your infrastructure will be immediately withdrawn 
from the mitigation.

For more information on the OVH mitigation infrastructure: 
https://www.ovh.com/fr/anti-ddos/

Regards, 

Your OVH Customer Support  
Mon - Friday: 9am - 6pm
(020) 7357 6616 Local call rate.


-- 
With respect,
Roman


pgpg_n0wjFVhv.pgp
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Markus Koch 
Or you get e-mails ...

---

Hi there,

Our system has automatically detected an inbound DDoS against your
droplet named niftyguineapig with the following IP Address:
178.62.71.57

As a precautionary measure, we have temporarily disabled network
traffic to your droplet to protect our network and other customers.
Once the attack subsides, networking will be automatically
reestablished to your droplet. The networking restriction is in place
for three hours and then removed.

Please note that we take this measure only as a last resort when other
filtering, routing, and network configuration changes have not been
effective in routing around the DDoS attack.

Please let us know if there are any questions, we're happy to help.

Thank you,
DigitalOcean Support

--

Still wondering why someone ddosed 80% of my TOR servers and nobody
else here got it too ...




2016-06-14 15:08 GMT+02:00 Toralf Förster :
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> On 06/14/2016 02:59 PM, Petrusko wrote:
>> So if the server is attacked, I think it will show some big spikes in
>> those graphs...?
>
> My ISP provides traffic data/graphs.
> And I do use sysstat[1] to monitor my server, which gives among other 
> statistics something like [2]
>
>
> [1] http://pagesperso-orange.fr/sebastien.godard/
> [2] https://www.zwiebeltoralf.de/torserver/ddos_sysstat_example.txt
>
> - --
> Toralf
> PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iF4EAREIAAYFAldgAbEACgkQxOrN3gB26U5n3AD/bPEsnbv9BWhHMY1AxRuh7qVW
> eixYqbSEoOppY9tDeLoBAI+JLiTnkIYcuAAHJuYGArnXbNqeQyzfOwrnR1ROWlMO
> =P5H8
> -END PGP SIGNATURE-
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Toralf Förster 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 06/14/2016 02:59 PM, Petrusko wrote:
> So if the server is attacked, I think it will show some big spikes in
> those graphs...?

My ISP provides traffic data/graphs.
And I do use sysstat[1] to monitor my server, which gives among other 
statistics something like [2]


[1] http://pagesperso-orange.fr/sebastien.godard/
[2] https://www.zwiebeltoralf.de/torserver/ddos_sysstat_example.txt

- -- 
Toralf
PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAldgAbEACgkQxOrN3gB26U5n3AD/bPEsnbv9BWhHMY1AxRuh7qVW
eixYqbSEoOppY9tDeLoBAI+JLiTnkIYcuAAHJuYGArnXbNqeQyzfOwrnR1ROWlMO
=P5H8
-END PGP SIGNATURE-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Petrusko 
Hey,

Little noob question inside :)
If possible to learn quickly how to detect a DDOS attack ?

I got Munin running behind, can it be useful with the "netstat" and
"firewall throughput" plugins graphs to see it ?
So if the server is attacked, I think it will show some big spikes in
those graphs...?

Thx ;)

ps: I'll try to find some things about this subject, np!



Le 14/06/2016 07:03, Markus Koch a écrit :
> 4 of my 5 tor servers are under a incoming DDOS attack. Am I the only
> one or is anyone else feeling the "love"?
>
> Markus
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

-- 
Petrusko
PubKey EBE23AE5
C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5




signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread Toralf Förster 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 06/14/2016 07:03 AM, Markus Koch wrote:
> 4 of my 5 tor servers are under a incoming DDOS attack. Am I the only
> one or is anyone else feeling the "love"?
> 
attacks with about 100 MBit/sec over a minute or so happen here nearly daily, 
attacks > 500 MBit/sec over half an hour or so once a year.

- -- 
Toralf
PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iF4EAREIAAYFAldf+QYACgkQxOrN3gB26U68+AD+Miew4zaXkkTwZW8gDifdpV7t
SGza2oufZ73ZnqwFekcA/0hVIo0zGG91f9OsKxzjW7IOZHqRagI4d2aT9M43Bhlo
=Xhwi
-END PGP SIGNATURE-
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS

2016-06-14 Thread I 
not at the moment but now and then yes


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDoS on middle nodes?

2016-04-19 Thread Brian Kroll 
Early on April 11th, one of my middle relays was hit with a large DDoS,
my provider was able to divert the attack but has not been able to
produce any other information.

//Brian

Green Dream:
> One of my non-exit relays was knocked offline by a DDoS on April 10th. It's
> happened before to another relay as well.
> 
> My provider isn't especially helpful when it happens. They basically just
> disable traffic to the node for 3 hours.
> 
> 
> 
> This body part will be downloaded on demand.
> 



signature.asc
Description: OpenPGP digital signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDoS attack on relay

2016-01-26 Thread TorOp AnonymizedDotIo1 
I was hit with a DDoS attack > 1gbps on 2016-01-21 11:30 EST on the IP 
that host my tor exit node. My hosting provider began succesfully 
mitigating the attack and my service was unaffected besides a slight dip 
in network throughput.


They attacker quickly stopped the attack when they realized if was being 
blackholed as my IP was removed from automatic mitigation 15 minutes later.


They did not attack other IPs in that netblock or any other of my 
netblock that host my legitimate buisness.


DDoSing a medium-to-large exit node seems counterintuitive to me... 
unless you are a government.


Le 2016-01-26 14:32, Green Dream a écrit :
My hosting provider alerted me of a DDoS attack on one of my relays. 
It started around 2016-01-26 12:42 UTC. They claim they tried 
"filtering, routing, and network configuration changes" to mitigate 
the attack, but as a last resort they temporarily disconnected the 
host from the network for 3 hours.


I know such attacks are not uncommon, but I'm curious if any other 
operators experienced a DDoS around the same time?


I'm also curious to know more about the nature of such attacks -- what 
type of attack was it, what is the general end goal of attacking a 
random Tor (non-exit) relay, etc. My hosting provider is unable or 
unwilling to share additional information.



___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDoS attack on relay

2016-01-26 Thread Markus Koch 
Not today, but it happens quite often 

I get nice abuse mails like this:

Direction IN
Internal 188.40.99.164
Threshold PacketsDiff 200.000 packets/s, Diff: 475.160 packets/s
Sum 142.643.000 packets/300s (475.476 packets/s), 5 flows/300s (0
flows/s), 198,002 GByte/300s (5.406 MBit/s)
External 185.21.xxx.xxx, 142.642.000 packets/300s (475.473 packets/s),
4 flows/300s (0 flows/s), 198,002 GByte/300s (5.406 MBit/s)

xxx out the attackers IP. :)



2016-01-26 20:32 GMT+01:00 Green Dream :
> My hosting provider alerted me of a DDoS attack on one of my relays. It
> started around 2016-01-26 12:42 UTC. They claim they tried "filtering,
> routing, and network configuration changes" to mitigate the attack, but as a
> last resort they temporarily disconnected the host from the network for 3
> hours.
>
> I know such attacks are not uncommon, but I'm curious if any other operators
> experienced a DDoS around the same time?
>
> I'm also curious to know more about the nature of such attacks -- what type
> of attack was it, what is the general end goal of attacking a random Tor
> (non-exit) relay, etc. My hosting provider is unable or unwilling to share
> additional information.
>
> ___
> tor-relays mailing list
> tor-relays@lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDoS attack targeted on my exit node

2014-12-22 Thread Toralf Förster 
On 12/22/2014 06:44 PM, Michael Renner wrote:
 Hi,
 
 my tor exit node was targeted with two DDoS attacks, one on 2014-12-20
 01:00 CET and one on 2014-12-22 18:00 CET [1], both lasting about 5
 minutes each.

Not sure if this is related too, but somebody uses my exit relay for port scans 
(15000 scans per minute at ports 22, 80 and 443). It started slowly in 
December and became heavier over the time.

Last Saturday this yielded into the situation that my ISP claimed to have a 
problem with a network segment. The ISP helped me to solve the problem by 
cutting the network connections to my exit relay.

Currently it just takes few seconds after I open the ports that the port scans 
will continue.

-- 
Toralf
pgp key: 7B1A 07F4 EC82 0F90 D4C2  8936 872A E508 0076 E94E

___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS?

2012-12-30 Thread mick 
On Sat, 29 Dec 2012 21:44:35 -0500
Matthew Finkel matthew.fin...@gmail.com allegedly wrote:
  
  How long does it take from the time a node is shut down to the point
  where no-one will attempt to connect through it? 
  
  Mick
 
 Hi Mick,
 
 Technically clients will attempt to use your node until the majority
 of the directory authorities agree your node is no longer reachable
 (should not take more than a little over 1 hour, assuming I
 understand the code correctly) plus 3 hours (a client considers a
 consensus valid for at most 3 hours), so roughly 4 hours. However,
 because some clients have incorrectly set clocks, connections will
 most likely trickle in past this point. I think after 5 hours no
 valid clients should still try to connect.

Matt

That does indeed help. Thank you.

I guess that what I was seeing was mostly tor client attempts. As for
my VPS provider, they still haven't answered my questions as to why they
shut down my machine without telling me. I suspect the DDOS excuse was
just that, an excuse. I'm probably one of the few users who actually
get anywhere near the full bandwidth allocation I pay for. Given that
the VPS is cheap (and probably on a box which is oversold) it's entirely
possible my usage is stretching the resource, and they don't like
that.

Ho Hum. Time to look for another provider.

Cheers

Mick
-

blog: baldric.net
gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312

-



signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS?

2012-12-29 Thread mick 
On Sat, 29 Dec 2012 22:07:59 +
mick m...@rlogin.net allegedly wrote:
 
 I shut tor down while I investigated and when running nethogs I
 noticed a shed load of attempted connections to my tor port (443) from
 non-tor addresses. A snapshot is at
 http://rlogin.net/tor/incoming.png 
 
 Anyone else seeing anything similar? I can't believe I'm the only node
 being poked.

On further investigation, I think many of those addresses are likely
to be tor related, possibly clients attempting to join tor through my
node.

How long does it take from the time a node is shut down to the point
where no-one will attempt to connect through it? 

Mick

 
-

blog: baldric.net
gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312

-



signature.asc
Description: PGP signature
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Re: [tor-relays] DDOS?

2012-12-29 Thread Matthew Finkel 
On Sat, Dec 29, 2012 at 11:44:29PM +, mick wrote:
 On Sat, 29 Dec 2012 22:07:59 +
 mick m...@rlogin.net allegedly wrote:
  
  I shut tor down while I investigated and when running nethogs I
  noticed a shed load of attempted connections to my tor port (443) from
  non-tor addresses. A snapshot is at
  http://rlogin.net/tor/incoming.png 
  
  Anyone else seeing anything similar? I can't believe I'm the only node
  being poked.
 
 On further investigation, I think many of those addresses are likely
 to be tor related, possibly clients attempting to join tor through my
 node.
 
 How long does it take from the time a node is shut down to the point
 where no-one will attempt to connect through it? 
 
 Mick

Hi Mick,

Technically clients will attempt to use your node until the majority of
the directory authorities agree your node is no longer reachable (should not
take more than a little over 1 hour, assuming I understand the code
correctly) plus 3 hours (a client considers a consensus valid for at most 3
hours), so roughly 4 hours. However, because some clients have incorrectly
set clocks, connections will most likely trickle in past this point. I
think after 5 hours no valid clients should still try to connect.

HTH,
Matt
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays