Hi all,
We are at least 3 users running middle relays from 0.4.4.5 and after having some logs like those : ``` Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream. ```
I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are : * Number of warnings * What kind of relay it is (middle, exit, entry)
After your answers, I'll complete the issue I have opened on the bug tracker.
Cheers,
Hi Guinness,
On Mon, Nov 2, 2020 at 12:31 PM Guinness guinness@crans.org wrote:
I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
- Number of warnings
- What kind of relay it is (middle, exit, entry)
Small middle relay here, 7 warnings roughly an hour earlier than your timestamps (after 04:30) on November 2. Nothing since then, nothing apparently after that.
Hello,
same here on my middle relay running 0.4.4.5:
... Nov 02 05:20:48.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:20:48.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:20:48.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:21:49.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:21:49.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:22:48.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:22:49.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:22:49.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:23:49.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:23:49.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:23:49.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:23:49.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:23:49.000 [warn] Possible compression bomb; abandoning stream. ....
Regards
Am 02.11.20 um 11:05 schrieb Guinness:
Hi all,
We are at least 3 users running middle relays from 0.4.4.5 and after having some logs like those :
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
- Number of warnings
- What kind of relay it is (middle, exit, entry)
After your answers, I'll complete the issue I have opened on the bug tracker.
Cheers,
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, 2 Nov 2020 11:05:43 +0100 Guinness guinness@crans.org allegedly wrote:
I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
- Number of warnings
- What kind of relay it is (middle, exit, entry)
After your answers, I'll complete the issue I have opened on the bug tracker.
Hi Guinness
I have the following two entries in the log for my guard relay at https://metrics.torproject.org/rs.html#details/AE4FAE2EB5DC5D078458F0FCBF2B3...
Nov 02 04:30:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 04:30:01.000 [warn] Possible compression bomb; abandoning stream.
Time is GMT.
Cheers
Mick
--------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 https://baldric.net/about-trivia ---------------------------------------------------------------------
A similar observation on a middle+guard (times in UTC). Nothing since then, no other issues observed: -------------------------------------------------------------- Nov 02 04:11:12: Possible compression bomb; abandoning stream. Nov 02 04:12:09: Possible zlib bomb; abandoning stream. Nov 02 04:12:10: Possible compression bomb; abandoning stream. Nov 02 04:12:10: Possible compression bomb; abandoning stream. Nov 02 04:12:18: Possible compression bomb; abandoning stream. Nov 02 04:13:09: Possible compression bomb; abandoning stream. Nov 02 04:13:10: Possible compression bomb; abandoning stream. --------------------------------------------------------------
Here, too. Between 3 and 12 lines, all within 1-3 seconds. Not totally sure about my arithmetic between time zones, but all seem to be within 5 minutes. Bridge,middle, exits included.
--Torix
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, November 2, 2020 10:05 AM, Guinness guinness@crans.org wrote:
Hi all,
We are at least 3 users running middle relays from 0.4.4.5 and after having some logs like those :
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
Number of warnings
What kind of relay it is (middle, exit, entry)
After your answers, I'll complete the issue I have opened on the bug tracker.
Cheers,
Guinness
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Same here on my bridge:
Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream. Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream.
Time is UTC+1, nothing before and after
Cheers, Christoph
On 02.11.20 11:05, Guinness wrote:
Hi all,
We are at least 3 users running middle relays from 0.4.4.5 and after having some logs like those :
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
- Number of warnings
- What kind of relay it is (middle, exit, entry)
After your answers, I'll complete the issue I have opened on the bug tracker.
Cheers,
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Same here - obviously something happening all over in Tor (timezone is CET):
Nov 02 05:29:24.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:29:25.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:29:29.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:29:36.000 [warn] Possible compression bomb; abandoning stream.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ Am Montag, 2. November 2020 17:59 schrieb Christoph Graf christoph@links-nett.ch:
Same here on my bridge:
Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream. Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream.
Time is UTC+1, nothing before and after
Cheers, Christoph
On 02.11.20 11:05, Guinness wrote:
Hi all,
We are at least 3 users running middle relays from 0.4.4.5 and after having some logs like those :
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
- Number of warnings
- What kind of relay it is (middle, exit, entry)
After your answers, I'll complete the issue I have opened on the bug tracker.
Cheers,
tor-relays mailing list tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
also saw this on my Tor exit dannydevito, but these messages only appeared once in logs (UTC time)
Nov 2 04:21:44 <daemon.warn> dannydevito Tor: Possible zlib bomb; abandoning stream. Nov 2 04:22:42 <daemon.warn> dannydevito Tor: Possible compression bomb; abandoning stream. Nov 2 04:22:42 <daemon.warn> dannydevito syslogd: last message repeated 2 times Nov 2 04:23:42 <daemon.warn> dannydevito Tor: Possible zlib bomb; abandoning stream. Nov 2 04:23:42 <daemon.warn> dannydevito Tor: Possible compression bomb; abandoning stream. Nov 2 04:23:42 <daemon.warn> dannydevito syslogd: last message repeated 3 times
On 11/3/20 05:59, Christoph Graf wrote:
Same here on my bridge:
Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream. Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream.
Time is UTC+1, nothing before and after
Cheers, Christoph
On 02.11.20 11:05, Guinness wrote:
Hi all,
We are at least 3 users running middle relays from 0.4.4.5 and after having some logs like those :
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
- Number of warnings
- What kind of relay it is (middle, exit, entry)
After your answers, I'll complete the issue I have opened on the bug tracker.
Cheers,
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Same on my US exit relay:
Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream.
Christoph Graf mailto:christoph@links-nett.ch November 2, 2020 at 11:59 AM
Same here on my bridge:
Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream. Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream.
Time is UTC+1, nothing before and after
Cheers, Christoph
On 02.11.20 11:05, Guinness wrote:
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays Guinness mailto:guinness@crans.org November 2, 2020 at 5:05 AM Hi all,
We are at least 3 users running middle relays from 0.4.4.5 and after having some logs like those :
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
- Number of warnings
- What kind of relay it is (middle, exit, entry)
After your answers, I'll complete the issue I have opened on the bug tracker.
Cheers,
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
same here,
my 4 relays (guards) all had this log entry, with one of them the log entries are spread over a quarter of an hour (2 tor instances runnnig on this one): (this one is on Central European time zone, CET)
Nov 2 05:15:22 : Possible compression bomb; abandoning stream. Nov 2 05:15:23 : message repeated 2 times: [ Possible compression bomb; abandoning stream.] Nov 2 05:16:21 : Possible zlib bomb; abandoning stream. Nov 2 05:16:21 : Possible compression bomb; abandoning stream. Nov 2 05:17:21 : Possible zlib bomb; abandoning stream. Nov 2 05:17:21 : Possible compression bomb; abandoning stream. Nov 2 05:19:21 : message repeated 5 times: [ Possible compression bomb; abandoning stream.] Nov 2 05:19:21 : Possible zlib bomb; abandoning stream. Nov 2 05:19:21 : Possible zlib bomb; abandoning stream. Nov 2 05:20:21 : Possible compression bomb; abandoning stream. Nov 2 05:22:21 : message repeated 4 times: [ Possible compression bomb; abandoning stream.] Nov 2 05:22:21 : Possible zlib bomb; abandoning stream. Nov 2 05:22:21 : Possible compression bomb; abandoning stream. Nov 2 05:23:21 : Possible zlib bomb; abandoning stream. Nov 2 05:23:21 : Possible compression bomb; abandoning stream. Nov 2 05:23:21 : Possible compression bomb; abandoning stream. Nov 2 05:24:21 : Possible zlib bomb; abandoning stream. Nov 2 05:24:21 : Possible compression bomb; abandoning stream. Nov 2 05:24:21 : Possible compression bomb; abandoning stream. Nov 2 05:25:21 : Possible compression bomb; abandoning stream. Nov 2 05:26:21 : message repeated 3 times: [ Possible compression bomb; abandoning stream.] Nov 2 05:26:21 : Possible zlib bomb; abandoning stream. Nov 2 05:26:23 : Possible compression bomb; abandoning stream. Nov 2 05:27:21 : Possible compression bomb; abandoning stream. Nov 2 05:29:39 : Possible compression bomb; abandoning stream. Nov 2 05:29:44 : message repeated 3 times: [ Possible compression bomb; abandoning stream.]
gr. Paul
On Mon, Nov 2, 2020 at 9:28 PM Chris Dagdigian dag@sonsorol.org wrote:
Same on my US exit relay:
Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 04:03:50.000 [warn] Possible zlib bomb; abandoning stream.
Christoph Graf christoph@links-nett.ch November 2, 2020 at 11:59 AM
Same here on my bridge:
Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream. Nov 2 06:21:04 raspipfupf Tor[2556]: Possible zlib bomb; abandoning stream.
Time is UTC+1, nothing before and after
Cheers, Christoph On 02.11.20 11:05, Guinness wrote:
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays Guinness guinness@crans.org November 2, 2020 at 5:05 AM Hi all,
We are at least 3 users running middle relays from 0.4.4.5 and after having some logs like those :
Nov 02 05:30:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:30:55.000 [warn] Possible zlib bomb; abandoning stream. Nov 02 05:30:56.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:00.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:55.000 [warn] Possible compression bomb; abandoning stream. Nov 02 05:31:56.000 [warn] Possible compression bomb; abandoning stream.I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
- Number of warnings
- What kind of relay it is (middle, exit, entry)
After your answers, I'll complete the issue I have opened on the bug tracker.
Cheers,
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi everybody
Am 02.11.2020 um 11:05 schrieb Guinness:
I'm wondering if this is an attack or a new feature (haven't checked yet) but I'd like to know how many users are impacted.
The interesting informations are :
- Number of warnings
- What kind of relay it is (middle, exit, entry)
Relays received shorter probes than bridges which were probed over about 5 hours. As well bridges that are announced (public) but didn't had any 'unique clients' so far.
-- Cheers, Felix
tor-relays@lists.torproject.org
-
Chris Dagdigian -
Christoph Graf -
Felix -
Guinness -
mick -
mpan -
Paul Geurts -
petrarca@protonmail.ch -
Sven Schmeling -
tor@uwu.lgbt -
torix@protonmail.com -
Valters Jansons