Daily DDOS love the last 14 days …
https://imgur.com/a/rfu0OUA https://imgur.com/fCsIv6V
even for my standards, thats a shit-ton of sockets … Tor DDOS protection is configured but I get more connections than I can drop …
nifty
I as well.
On Aug 25, 2020, at 13:45, niftybunny abuse-contact@to-surf-and-protect.net wrote:
?Daily DDOS love the last 14 days ...
https://imgur.com/a/rfu0OUAhttps://imgur.com/fCsIv6V
even for my standards, thats a shit-ton of sockets ... Tor DDOS protection is configured but I get more connections than I can drop ...
nifty
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Okay, I am not alone. ♥️
Grab yourself a club sandwich and a Dr Pepper while we are waiting for the DDOS to end.
nifty
On 25. Aug 2020, at 20:49, John Ricketts john@quintex.com wrote:
I as well.
On Aug 25, 2020, at 13:45, niftybunny abuse-contact@to-surf-and-protect.net wrote:
Daily DDOS love the last 14 days …
https://imgur.com/a/rfu0OUA https://imgur.com/fCsIv6V
even for my standards, thats a shit-ton of sockets … Tor DDOS protection is configured but I get more connections than I can drop …
nifty
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, Aug 25, 2020 at 06:49:01PM +0000, John Ricketts wrote:
I as well.
On Aug 25, 2020, at 13:45, niftybunny abuse-contact@to-surf-and-protect.net wrote:
?Daily DDOS love the last 14 days ...
Hi! Can you provide more details? From Nifty's picture it looks like they are full TCP connections? Do you have a sense of what do they do when they connect?
And that would mean that they *aren't* packet-level ddoses, i.e. the "I fill up your network connection with packets so no other packets can get through" kind?
One of the strange things about working with things at the scale of the Tor network is that sometimes the combined behavior of many Tor processes can look like a DDoS. For example, maybe all of these connections come from out-of-date Tors that are now behaving bizarrely since the network now doesn't work the way their old logic expects.
We've also seen what looks like DDoS attempts on the directory authorities, but on closer examination they are some alternative Tor implementation that is running on many thousands of computers and is fetching Tor consensus documents in a way that isn't sustainable: https://gitlab.torproject.org/tpo/core/tor/-/issues/33018
There are also apparently some overloading attacks happening on some popular onion services currently, and I wonder if those are bleeding over into looking like many connections. Or, as we saw a few years ago when we added the "ddos defense subsystem" in Tor, the attacks didn't actually add much load, but it was when the onion services tried to scale up to tens of thousands of Tors, to be able to respond to every incoming rendezvous attempt, that those tens of thousands of Tors together looked like an attack on the network.
So: the next step would be to try to learn more about what these connections look like, where they're coming from, what they're doing, etc.
Also, if more people than just Nifty and John are seeing them.
Never a dull moment, --Roger
No clue what they are doing, but they max out the Exist with 100% CPU load and do not transport a lot of traffic:
https://imgur.com/a/NzpE69B https://imgur.com/a/NzpE69B
Around 16-21 there should be more traffic and this was DDOS time.
I am 100% sure its not bogus traffic just send to my IPs to max out my uplinks, because:
https://www.peeringdb.com/net/22652 https://www.peeringdb.com/net/22652
you need at least 120 gigabit to kill my uplinks.
I love dull, I love dull sooooo much. I want to marry dull.
nifty
On 25. Aug 2020, at 21:20, Roger Dingledine arma@torproject.org wrote:
On Tue, Aug 25, 2020 at 06:49:01PM +0000, John Ricketts wrote:
I as well.
On Aug 25, 2020, at 13:45, niftybunny abuse-contact@to-surf-and-protect.net wrote:
?Daily DDOS love the last 14 days ...
Hi! Can you provide more details? From Nifty's picture it looks like they are full TCP connections? Do you have a sense of what do they do when they connect?
And that would mean that they *aren't* packet-level ddoses, i.e. the "I fill up your network connection with packets so no other packets can get through" kind?
One of the strange things about working with things at the scale of the Tor network is that sometimes the combined behavior of many Tor processes can look like a DDoS. For example, maybe all of these connections come from out-of-date Tors that are now behaving bizarrely since the network now doesn't work the way their old logic expects.
We've also seen what looks like DDoS attempts on the directory authorities, but on closer examination they are some alternative Tor implementation that is running on many thousands of computers and is fetching Tor consensus documents in a way that isn't sustainable: https://gitlab.torproject.org/tpo/core/tor/-/issues/33018
There are also apparently some overloading attacks happening on some popular onion services currently, and I wonder if those are bleeding over into looking like many connections. Or, as we saw a few years ago when we added the "ddos defense subsystem" in Tor, the attacks didn't actually add much load, but it was when the onion services tried to scale up to tens of thousands of Tors, to be able to respond to every incoming rendezvous attempt, that those tens of thousands of Tors together looked like an attack on the network.
So: the next step would be to try to learn more about what these connections look like, where they're coming from, what they're doing, etc.
Also, if more people than just Nifty and John are seeing them.
Never a dull moment, --Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 8/25/20 9:20 PM, Roger Dingledine wrote:
Also, if more people than just Nifty and John are seeing them.
I got an abuse record from Hetzner for my relay (no Exit flag, but 2 dozen ports opened) at 8/18/20, 4:31 PM +0200 with a content like:
irection OUT Internal 5.9.158.75 Threshold Packets <snip> packets/s Sum 108.286.000 packets/300s (360.953 packets/s), 53.442 flows/300s (178 flows/s), 4,120 GByte/300s (112 MBit/s) ...
I had to temporary completly switch off "ExitRelay 1" to "ExitRelay 0" to avoid a server block by the hoster.
At the next day I re-opened one half of the exit ports (only DNS Jabber and IRC, no BitCoin et al) and did not experience any further abuse reports since then.
-- Toralf
I got 47 Abuse-Emails while being DDOSed today. Thats in my normal range. Normally when there is a bigger bot net scanning port 22 etc I will get over 1000+ abuse mails a day. Could be they are scanning ranges that doesn't produce abuse mails or they do something otherwise fishy. No clue right now. With over 1 million extra sockets alone on my servers I am sure he/she/it has some beefy hardware.
nifty
On 25. Aug 2020, at 21:52, Toralf Förster toralf.foerster@gmx.de wrote:
On 8/25/20 9:20 PM, Roger Dingledine wrote:
Also, if more people than just Nifty and John are seeing them.
I got an abuse record from Hetzner for my relay (no Exit flag, but 2 dozen ports opened) at 8/18/20, 4:31 PM +0200 with a content like:
irection OUT Internal 5.9.158.75 Threshold Packets <snip> packets/s Sum 108.286.000 packets/300s (360.953 packets/s), 53.442 flows/300s (178 flows/s), 4,120 GByte/300s (112 MBit/s) ...
I had to temporary completly switch off "ExitRelay 1" to "ExitRelay 0" to avoid a server block by the hoster.
At the next day I re-opened one half of the exit ports (only DNS Jabber and IRC, no BitCoin et al) and did not experience any further abuse reports since then.
-- Toralf _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Tuesday, August 25, 2020 2:47 PM, niftybunny abuse-contact@to-surf-and-protect.net wrote:
I got 47 Abuse-Emails while being DDOSed today. Thats in my normal range. Normally when there is a bigger bot net scanning port 22 etc I will get over 1000+ abuse mails a day. Could be they are scanning ranges that doesn't produce abuse mails or they do something otherwise fishy. No clue right now. With over 1 million extra sockets alone on my servers I am sure he/she/it has some beefy hardware.
I think I'm getting hit, too. I can't SSH into Parker anymore, even after a hard reboot. I can still communicate with Systembot normally, though. He might be out of available network sockets for sshd to respond to connection attempts. I'm considering blowing away the node and building a new one.
I seem to recall something about an attacker DDoSing individual Tor nodes to help isolate where a given hidden service is running. Could this be a manifestation of that attack?
The Doctor [412/724/301/703/415/510] WWW: https://drwho.virtadpt.net/ The old world is dying, and the new world struggles to be born. Now is the time of monsters.
as far as I know many darknet markets are being targeted with massive ddos attacks. For example empire (biggest market as of recently) went down on August 22.
Not sure if those issues are connected since the DN market ddos racketeering is more or less a permanent feature.
greets
On Aug 25, 2020, at 8:43 PM, niftybunny abuse-contact@to-surf-and-protect.net wrote:
Daily DDOS love the last 14 days …
even for my standards, thats a shit-ton of sockets … Tor DDOS protection is configured but I get more connections than I can drop …
nifty
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Also banks and financial institutions in New Zealand are being targeted.
On Wed, 26 Aug 2020 at 20:32, Amadeus Ramazotti < cryptoquantumhammer@gmail.com> wrote:
as far as I know many darknet markets are being targeted with massive ddos attacks. For example empire (biggest market as of recently) went down on August 22.
Not sure if those issues are connected since the DN market ddos racketeering is more or less a permanent feature.
greets
On Aug 25, 2020, at 8:43 PM, niftybunny < abuse-contact@to-surf-and-protect.net> wrote:
Daily DDOS love the last 14 days …
https://imgur.com/a/rfu0OUA https://imgur.com/fCsIv6V
even for my standards, thats a shit-ton of sockets … Tor DDOS protection is configured but I get more connections than I can drop …
nifty
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Amadeus Ramazotti -
Graeme Neilson -
John Ricketts -
niftybunny -
Roger Dingledine -
The Doctor [412/724/301/703/415/510] -
Toralf Förster