#29607: Denial of service on v2 onion service --------------------------+-------------------------- Reporter: pidgin | Owner: pidgin Type: defect | Status: accepted Priority: Immediate | Milestone: Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: #25461 | Points: Reviewer: | Sponsor: --------------------------+--------------------------
Comment (by pidgin): Here is a debug log for a tor process under 100% cpu with v2 onion service. some info scrubbed. created 4MB debug logfile per second. -scrubbed-:27.000 [debug] relay_send_command_from_edge_(): delivering 14 cell forward. -scrubbed-:27.000 [debug] relay_send_command_from_edge_(): Sending a RELAY_EARLY cell; 5 remaining. -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a layer of the relay cell. -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a layer of the relay cell. -scrubbed-:27.000 [debug] append_cell_to_circuit_queue(): Made a circuit active. -scrubbed-:27.000 [debug] connection_or_process_cells_from_inbuf(): 11: starting, inbuf_datalen 1028 (0 pending in tls object). -scrubbed-:27.000 [debug] channel_process_cell(): Processing incoming cell_t 0x7ffcaedf5950 for channel 0x563a770113e0 (global ID 2) -scrubbed-:27.000 [debug] circuit_get_by_circid_channel_impl(): circuit_get_by_circid_channel_impl() returning circuit 0x563a779c4eb0 for circ_id 2380366636, channel ID 2 (0x563a770113e0) -scrubbed-:27.000 [debug] circuit_receive_relay_cell(): Sending to origin. -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Now seen 10207 relay cells here (command 15, stream 0). -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Got an extended cell! Yay. -scrubbed-:27.000 [info] circuit_finish_handshake(): Finished building circuit hop: -scrubbed-:27.000 [info] internal circ (length 5, last hop $-scrubbed-): $-scrubbed-(open) $scrubbed(open) $scrubbed(open) $Cscrubbed(closed) $-scrubbed-(closed) -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1541 evtype=2 reason=0 onehop=0 -scrubbed-:27.000 [debug] circuit_build_times_add_time(): Adding circuit build time 22290 -scrubbed-:27.000 [debug] circuit_send_intermediate_onion_skin(): starting to send subsequent skin. -scrubbed-:27.000 [info] circuit_send_intermediate_onion_skin(): Sending extend relay cell. -scrubbed-:27.000 [debug] relay_send_command_from_edge_(): delivering 14 cell forward. -scrubbed-:27.000 [debug] relay_send_command_from_edge_(): Sending a RELAY_EARLY cell; 5 remaining. -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a layer of the relay cell. -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a layer of the relay cell. -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a layer of the relay cell. -scrubbed-:27.000 [debug] append_cell_to_circuit_queue(): Made a circuit active. -scrubbed-:27.000 [debug] connection_or_process_cells_from_inbuf(): 11: starting, inbuf_datalen 514 (0 pending in tls object). -scrubbed-:27.000 [debug] channel_process_cell(): Processing incoming cell_t 0x7ffcaedf5950 for channel 0x563a770113e0 (global ID 2) -scrubbed-:27.000 [debug] circuit_get_by_circid_channel_impl(): circuit_get_by_circid_channel_impl() returning circuit 0x563a77524ad0 for circ_id 3378515571, channel ID 2 (0x563a770113e0) -scrubbed-:27.000 [debug] circuit_receive_relay_cell(): Sending to origin. -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Now seen 10208 relay cells here (command 35, stream 0). -scrubbed-:27.000 [info] rend_service_receive_introduction(): Received INTRODUCE2 cell for service "uuuuuuuuuuuuuuuuuuu" on circ 3378515571. -scrubbed-:27.000 [debug] extend_info_from_node(): using YYYYYYYYYYYYYYY for scrubbed -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for $scrubbedscrubbed -scrubbed-:27.000 [info] rep_hist_note_used_internal(): New port prediction added. Will continue predictive circ building for 3003 more seconds. -scrubbed-:27.000 [debug] circuit_find_to_cannibalize(): Hunting for a circ to cannibalize: purpose 17, uptime 0, capacity 1, internal 1 -scrubbed-:27.000 [debug] new_route_len(): Chosen route length 5 (6571 direct and 6571 indirect routers suitable). -scrubbed-:27.000 [info] onion_pick_cpath_exit(): Using requested exit node '$scrubbedscrubbed' -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 0 long; we want 5 -scrubbed-:27.000 [info] select_primary_guard_for_circuit(): Selected primary guard rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii ($-scrubbed-) for circuit. -scrubbed-:27.000 [debug] extend_info_from_node(): using XXXXXXXXXXXXXXzzzzzzzzzzzzzzzzzzzzzz for rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for $-scrubbed-~rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii at XXXXXXXXXXXXXX -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router $-scrubbed-~rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii at XXXXXXXXXXXXXX for hop #1 (exit is scrubbed) -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 1 long; we want 5 -scrubbed-:27.000 [debug] choose_good_middle_server(): Contemplating intermediate hop #2: random choice. -scrubbed-:27.000 [debug] choose_good_middle_server(): Picking a sticky node (cur_len = 1) -scrubbed-:27.000 [debug] extend_info_from_node(): using rrrrrrrrrrrrrrrrrrrrrrrrzzzzzzzzzzzzzzzzzzzzzz for araglaucogularis -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for $scrubbed~scrubbed -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router $scrubbed~scrubbed for hop #2 (exit is scrubbed) -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 2 long; we want 5 -scrubbed-:27.000 [debug] choose_good_middle_server(): Contemplating intermediate hop #3: random choice. -scrubbed-:27.000 [debug] choose_good_middle_server(): Picking a sticky node (cur_len = 2) -scrubbed-:27.000 [debug] extend_info_from_node(): using scrubbed:kkkkkkkkkkkkkkkkkkkkkkkkkk for rrrrrrrrrrrrrrrrrrrrrrrrrrrr -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx~rrrrrrrrrrrrrrrrrrrrrrrrrrrr at scrubbed -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx~rrrrrrrrrrrrrrrrrrrrrrrrrrrr at scrubbed for hop #3 (exit is scrubbed) -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 3 long; we want 5 -scrubbed-:27.000 [debug] choose_good_middle_server(): Contemplating intermediate hop #4: random choice. -scrubbed-:27.000 [debug] router_choose_random_node(): We found 5695 running nodes. -scrubbed-:27.000 [debug] router_choose_random_node(): We removed 0 excludednodes, leaving 5695 nodes. -scrubbed-:27.000 [debug] router_choose_random_node(): We removed 4 excludedsmartlist, leaving 5691 nodes. -scrubbed-:27.000 [debug] compute_weighted_bandwidths(): Generated weighted bandwidths for rule weight as middle node based on weights Wg=0.400800 Wm=1.000000 We=0.000000 Wd=0.000000 with total bw 25389038256.000000 -scrubbed-:27.000 [debug] extend_info_from_node(): using fffffffffffffffffffffffffffffff:kkkkkkkkkkkkkkkkkkkkkkkkkk for wwwwwwwwwwwwwwwwwwwwww -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for $ggggggggggggggggggggggggggggggggggg~wwwwwwwwwwwwwwwwwwwwww at fffffffffffffffffffffffffffffff -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router $ggggggggggggggggggggggggggggggggggg~wwwwwwwwwwwwwwwwwwwwww at fffffffffffffffffffffffffffffff for hop #4 (exit is scrubbed) -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 4 long; we want 5 -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router $scrubbedscrubbed for hop #5 (exit is scrubbed) -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is complete: 5 steps long -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=2543 evtype=0 reason=0 onehop=0 -scrubbed-:27.000 [debug] circuit_handle_first_hop(): Looking for firsthop 'XXXXXXXXXXXXXXzzzzzzzzzzzzzzzzzzzzzz' -scrubbed-:27.000 [debug] btc_event_rcvr(): CIRC gid=2543 chan=2 onehop=0 -scrubbed-:27.000 [debug] circuit_handle_first_hop(): Conn open. Delivering first onion skin. -scrubbed-:27.000 [debug] circuit_send_first_onion_skin(): First skin; sending create cell. -scrubbed-:27.000 [debug] circuit_get_by_circid_channel_impl(): circuit_get_by_circid_channel_impl() found nothing for circ_id 3035601791, channel ID 2 (0x563a770113e0) -scrubbed-:27.000 [debug] circuit_deliver_create_cell(): Chosen circID 3035601791. -scrubbed-:27.000 [debug] circuitmux_attach_circuit(): Attaching circuit 3035601791 on channel 2 to cmux 0x563a770079d0 -scrubbed-:27.000 [debug] append_cell_to_circuit_queue(): Made a circuit active. -scrubbed-:27.000 [debug] btc_state_rcvr(): CIRC gid=2543 state=0 onehop=0 -scrubbed-:27.000 [info] circuit_send_first_onion_skin(): First hop: finished sending CREATE cell to '$-scrubbed-~rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii at XXXXXXXXXXXXXX' -scrubbed-:27.000 [info] rend_service_receive_introduction(): Accepted intro; launching circuit to [scrubbed] (cookie 2E7D742C) for service uuuuuuuuuuuuuuuuuuu. -scrubbed-:27.000 [debug] connection_or_process_cells_from_inbuf(): 11: starting, inbuf_datalen 0 (0 pending in tls object). -scrubbed-:27.000 [debug] conn_read_callback(): socket 10 wants to read. -scrubbed-:27.000 [debug] connection_buf_read_from_socket(): 10: starting, inbuf_datalen 0 (0 pending in tls object). at_most 16448. -scrubbed-:27.000 [debug] connection_buf_read_from_socket(): After TLS read of 1028: 1057 read, 0 written -scrubbed-:27.000 [debug] connection_or_process_cells_from_inbuf(): 10: starting, inbuf_datalen 1028 (0 pending in tls object). -scrubbed-:27.000 [debug] channel_process_cell(): Processing incoming cell_t 0x7ffcaedf5950 for channel 0x563a76ffd020 (global ID 1) -scrubbed-:27.000 [debug] circuit_get_by_circid_channel_impl(): circuit_get_by_circid_channel_impl() returning circuit 0x563a773f5cd0 for circ_id 3703046038, channel ID 1 (0x563a76ffd020) -scrubbed-:27.000 [debug] circuit_receive_relay_cell(): Sending to origin. -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Now seen 10209 relay cells here (command 15, stream 0). -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Got an extended cell! Yay. -scrubbed-:27.000 [info] circuit_finish_handshake(): Finished building circuit hop: -scrubbed-:27.000 [info] internal circ (length 5, last hop wwwwwwwwwwwwwwwwwwwwww): $hhhhhhhhhhhhhhhhhhhhhhhhh(open) eeeeeeeeeeeeeeeeeeeeeeeee(open) nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn(open) vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv(open) lllllllllllllllllllllllllllllllllllllllll(open) -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1023 evtype=2 reason=0 onehop=0 -scrubbed-:27.000 [info] entry_guards_note_guard_success(): Recorded success for primary confirmed guard madtrixz01 ($hhhhhhhhhhhhhhhhhhhhhhhhh) -scrubbed-:27.000 [debug] btc_state_rcvr(): CIRC gid=1023 state=4 onehop=0 -scrubbed-:27.000 [info] circuit_build_no_more_hops(): circuit built! -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1023 evtype=1 reason=0 onehop=0 -scrubbed-:27.000 [info] rend_service_rendezvous_has_opened(): Done building circuit 3703046038 to rendezvous with cookie A9ADDEC1 for service uuuuuuuuuuuuuuuuuuu96EB1FD02A5(open) nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn(open) vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv(open) lllllllllllllllllllllllllllllllllllllllll(open) -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1023 evtype=2 reason=0 onehop=0 -scrubbed-:27.000 [info] entry_guards_note_guard_success(): Recorded success for primary confirmed guard madtrixz01 ($hhhhhhhhhhhhhhhhhhhhhhhhh) -scrubbed-:27.000 [debug] btc_state_rcvr(): CIRC gid=1023 state=4 onehop=0 -scrubbed-:27.000 [info] circuit_build_no_more_hops(): circuit built! -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1023 evtype=1 reason=0 onehop=0 -scrubbed-:27.000 [info] rend_service_rendezvous_has_opened(): Done building circuit 3703046038 to rendezvous with cookie A9ADDEC1 for service uuuuuuuuuuuuuuuuuuu -scrubbed-:27.000 [info] internal circ (length 5): $hhhhhhhhhhhhhhhhhhhhhhhhh(open) eeeeeeeeeeeeeeeeeeeeeeeee(open) nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn(open) vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv(open) lllllllllllllllllllllllllllllllllllllllll(open) -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29607#comment:18> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs