Hello everyone,
I was inspecting my node and just saw that it has a very high number of connections.
It jumped from the normal 6000-7000 to more than 17000 simultaneous connections.
Looking at the connections with `ss` I see some hosts with over 1000 connections while the majority is usually bellow 10.
Here are some stats with the IP and the associated number of simultaneous connections:
212.32.226.237 : 1531 207.244.110.200 : 1520 162.210.192.70 : 1471 207.244.70.120 : 1455 198.7.59.194 : 1454 212.32.239.28 : 1450 5.79.103.239 : 1414 5.79.103.238 : 1401 51.15.162.120 : 1379 37.48.104.231 : 56 5.79.72.66 : 26 37.48.105.240 : 25 212.83.3.154 : 25 78.46.99.242 : 23 178.63.47.145 : 18 46.4.84.142 : 17 213.133.100.55 : 17 46.4.106.87 : 15 144.76.18.214 : 14
Is it normal for a single host to produce so many connections?
How do you people handle such situations?
Thanks
On Wed, Jan 31, 2018 at 05:21:38PM +0200, zless wrote:
I was inspecting my node and just saw that it has a very high number of connections.
It jumped from the normal 6000-7000 to more than 17000 simultaneous connections.
Looking at the connections with `ss` I see some hosts with over 1000 connections while the majority is usually bellow 10.
In the future, you should avoid including IP addresses like this. Some of these are normal Tor users who probably don't like having their addresses listed. After all, the goal of your relay is to provide privacy, right?
Is it normal for a single host to produce so many connections?
How do you people handle such situations?
It is not normal. I recommend either trying out the new mitigation feature in git master, or waiting until it gets into a release:
https://lists.torproject.org/pipermail/tor-relays/2018-January/014357.html https://lists.torproject.org/pipermail/tor-relays/2018-January/014175.html https://lists.torproject.org/pipermail/tor-relays/2017-December/014002.html
--Roger
În ziua de miercuri, 31 ianuarie 2018, la 17:32:15 EET, Roger Dingledine a scris:
On Wed, Jan 31, 2018 at 05:21:38PM +0200, zless wrote:
I was inspecting my node and just saw that it has a very high number of connections.
It jumped from the normal 6000-7000 to more than 17000 simultaneous connections.
Looking at the connections with `ss` I see some hosts with over 1000 connections while the majority is usually bellow 10.
In the future, you should avoid including IP addresses like this. Some of these are normal Tor users who probably don't like having their addresses listed. After all, the goal of your relay is to provide privacy, right?
Sorry about that. I somehow thought that those are only relays like myself and these are public already.
Even so, on closer inspection they seem to fall more on the "bots" side. Most of the IPs in my list are servers from Leaseweb and Hetzner.
Is it normal for a single host to produce so many connections?
How do you people handle such situations?
It is not normal. I recommend either trying out the new mitigation feature in git master, or waiting until it gets into a release:
https://lists.torproject.org/pipermail/tor-relays/2018-January/014357.html https://lists.torproject.org/pipermail/tor-relays/2018-January/014175.html https://lists.torproject.org/pipermail/tor-relays/2017-December/014002.html
Thanks for the links, they are quite informative.
However I'm still interested in how to block this kind of abuse outside of tor itself. I'm looking to implement some iptables limiting and I'm wondering how the limits should be so that I don't deny normal tor traffic.
Would a 10 connections per IP limit be OK? Should be higher than that?
Thanks for any ideas.
However I'm still interested in how to block this kind of abuse outside of tor itself. I'm looking to implement some iptables limiting and I'm wondering how the limits should be so that I don't deny normal tor traffic.
Would a 10 connections per IP limit be OK? Should be higher than that?
https://lists.torproject.org/pipermail/tor-relays/2018-January/014100.html
I was inspecting my node and just saw that it has a very high number of connections.
It jumped from the normal 6000-7000 to more than 17000 simultaneous connections.
Looking at the connections with `ss` I see some hosts with over 1000 connections while the majority is usually bellow 10.
Here are some stats with the IP and the associated number of simultaneous connections:
Please do not publish IP addresses of potential tor clients/onion services!
Is it normal for a single host to produce so many connections?
This is a known and ongoing issue, the tor developer worked on a fix to mitigate the impact of such aggressive clients.
https://twitter.com/nusenu_/status/958486010563874817 https://lists.torproject.org/pipermail/tor-relays/2018-January/014357.html
Re all the threads on this 'DoS' issue...
Netflow analysis is often better for many this type of toplists than netstat / ss and other tools shipped with any given base OS. Even a proper tcpdump / packet filter log can be better.
tor-relays@lists.torproject.org
-
grarpamp -
nusenu -
Roger Dingledine -
Tyler Johnson -
zless