FYI.
--Roger
----- Forwarded message from Roger Dingledine arma@torproject.org -----
Date: Wed, 29 Jan 2020 04:11:46 -0500 From: Roger Dingledine arma@torproject.org To: dir-auth@lists.tpo Subject: Directory authorities DDoSed by consensus fetches
Hi folks!
I wanted to let you know about an issue that came up over the past few weeks, and is continuing.
In short, many thousands of places around the internet are fetching the vanilla consensus document, uncompressed, from the dirport of the dir auths.
moria and gabelmoo shot up to 400mbit/s sustained, and even that wasn't enough because they couldn't reliably interact with the other dir auths (e.g. send or receive votes) at that level of load.
Probably your dir auth is under huge load currently too.
Here's the plan:
(0) If you need to squeeze down your bandwidth use for now, e.g. by setting a lower BandwidthRate, do it and don't feel bad. The pain will continue for a while yet, and answering all of the requests is not worth getting in trouble with your hoster.
(1) If you're into patching your Tor source yourself, here is a very simple patch that will help you for now: https://bugs.torproject.org/33029#comment:18 It prioritizes answering other relays and other directory authorities, when rate limiting is kicking in. This patch won't by itself reduce your bandwidth load, but it will let you turn down the BandwidthRate knob while still being a productive useful dir auth.
(2) We'll have a more thorough version of this patch out sometime soon, in the form of a git branch and eventually a Tor update. Let us know if the patch in #1 doesn't do it for you and you need us to get to step #2 quicker.
(3) Longer term, we need to start refusing (some of) these extra requests. We have found some simple distinguishers that make us think they are not actual Tor clients, and that mean we can refuse the requests without that much collateral damage. We still need to think through exactly how we want to do that though -- and putting some more defenses in place, in case the requests morph into something else, could be smart too. The ticket to follow here is https://bugs.torproject.org/33018
More when we have it, --Roger
----- End forwarded message -----
network-health@lists.torproject.org
-
Roger Dingledine