Scott Bennett bennett@sdf.org wrote:
The vast majority of recent surges of unusual activity on my humble
relay, which I take as likely being attacks, result in large changes in the hour-to-hour statistic shown below in these lines extracted from the hourly heartbeat message groups.
Aug 31 19:02:28.549 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1706742 INTRODUCE2 rejected. Aug 31 20:02:28.546 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1706742 INTRODUCE2 rejected. Aug 31 21:02:28.549 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1706742 INTRODUCE2 rejected. Aug 31 22:02:28.544 [notice] Heartbeat: DoS mitigation since startup: 15 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 1770970 INTRODUCE2 rejected. Aug 31 23:02:28.556 [notice] Heartbeat: DoS mitigation since startup: 16 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 14 same address concurrent connections rejected, 0 connections rejected, 5 single hop clients refused, 2013266 INTRODUCE2 rejected.
The most recent such surge appears to have ended less than an hour ago. Note that there was no change in the count of "INTRODUCE2 rejected" for many hours leading up to the onset of unusual activity, though I've only shown three prior hours' worth. Then there is an increase of 63227 in
^^^^^
this count during the first hour and another 41296 during the second
^^^^^ Obviously, the above figures should have been 64228 and 242296. Either way, they seem like an awful lot of bungled hidden service access attempts to occur within an hour, so it's either a bug in hidden services (which would not be unheard of) or it's a deliberate attack.
hour. Often during these periods the input appears to be maxed out, and sometimes the output rate is still higher by several hundred KB/s. My question is, do other relay operators whose relays are being attacked see the same phenomenon? In addition, if someone knows of an effective way to turn such things aside at less cost than be simply leaving them to tor to deal with, I'd love to know about it, too, though I suspect there may be no such method. Thanks in advance for any relevant information!
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************