4 of my 5 tor servers are under a incoming DDOS attack. Am I the only one or is anyone else feeling the "love"?
Markus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/14/2016 07:03 AM, Markus Koch wrote:
4 of my 5 tor servers are under a incoming DDOS attack. Am I the only one or is anyone else feeling the "love"?
attacks with about 100 MBit/sec over a minute or so happen here nearly daily, attacks > 500 MBit/sec over half an hour or so once a year.
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
DDOS attack mostly everyday, ssh login attempts every hour... What a fantastic love !!
The attackers are from ....... China :-) Le 14 juin 2016 14:31, "Toralf Förster" toralf.foerster@gmx.de a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/14/2016 07:03 AM, Markus Koch wrote:
4 of my 5 tor servers are under a incoming DDOS attack. Am I the only one or is anyone else feeling the "love"?
attacks with about 100 MBit/sec over a minute or so happen here nearly daily, attacks > 500 MBit/sec over half an hour or so once a year.
Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iF4EAREIAAYFAldf+QYACgkQxOrN3gB26U68+AD+Miew4zaXkkTwZW8gDifdpV7t SGza2oufZ73ZnqwFekcA/0hVIo0zGG91f9OsKxzjW7IOZHqRagI4d2aT9M43Bhlo =Xhwi -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hey,
Little noob question inside :) If possible to learn quickly how to detect a DDOS attack ?
I got Munin running behind, can it be useful with the "netstat" and "firewall throughput" plugins graphs to see it ? So if the server is attacked, I think it will show some big spikes in those graphs...?
Thx ;)
ps: I'll try to find some things about this subject, np!
Le 14/06/2016 07:03, Markus Koch a écrit :
4 of my 5 tor servers are under a incoming DDOS attack. Am I the only one or is anyone else feeling the "love"?
Markus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/14/2016 02:59 PM, Petrusko wrote:
So if the server is attacked, I think it will show some big spikes in those graphs...?
My ISP provides traffic data/graphs. And I do use sysstat[1] to monitor my server, which gives among other statistics something like [2]
[1] http://pagesperso-orange.fr/sebastien.godard/ [2] https://www.zwiebeltoralf.de/torserver/ddos_sysstat_example.txt
- -- Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7
Or you get e-mails ...
-----------
Hi there,
Our system has automatically detected an inbound DDoS against your droplet named niftyguineapig with the following IP Address: 178.62.71.57
As a precautionary measure, we have temporarily disabled network traffic to your droplet to protect our network and other customers. Once the attack subsides, networking will be automatically reestablished to your droplet. The networking restriction is in place for three hours and then removed.
Please note that we take this measure only as a last resort when other filtering, routing, and network configuration changes have not been effective in routing around the DDoS attack.
Please let us know if there are any questions, we're happy to help.
Thank you, DigitalOcean Support
----------
Still wondering why someone ddosed 80% of my TOR servers and nobody else here got it too ...
2016-06-14 15:08 GMT+02:00 Toralf Förster toralf.foerster@gmx.de:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 06/14/2016 02:59 PM, Petrusko wrote:
So if the server is attacked, I think it will show some big spikes in those graphs...?
My ISP provides traffic data/graphs. And I do use sysstat[1] to monitor my server, which gives among other statistics something like [2]
[1] http://pagesperso-orange.fr/sebastien.godard/ [2] https://www.zwiebeltoralf.de/torserver/ddos_sysstat_example.txt
Toralf PGP: C4EACDDE 0076E94E, OTR: 420E74C8 30246EE7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iF4EAREIAAYFAldgAbEACgkQxOrN3gB26U5n3AD/bPEsnbv9BWhHMY1AxRuh7qVW eixYqbSEoOppY9tDeLoBAI+JLiTnkIYcuAAHJuYGArnXbNqeQyzfOwrnR1ROWlMO =P5H8 -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Tue, 14 Jun 2016 15:39:30 +0200 Markus Koch niftybunny@googlemail.com wrote:
Or you get e-mails ...
Getting these once every few days. However I'm almost certain the issue is just a misdetection by them of some pattern from the regular operation of a Tor relay (for example the large amount of open connections, possibly to unusual ports) as a DDoS.
-------------------- OVH 2 rue Kellermann 59100 Roubaix Technical support: 08.99.49.87.65 (€1.349/call + €0.337/min) Commercial support: 08.20.69.87.65 (€0.118/min) Fax: 03.20.20.09.58 support@ovh.com
Dear Customer,
We have just detected an attack on IP address [...].
In order to protect your infrastructure, we vacuumed up your traffic onto our mitigation infrastructure.
The entire attack will thus be filtered by our infrastructure, and only legitimate traffic will reach your servers.
At the end of the attack, your infrastructure will be immediately withdrawn from the mitigation.
For more information on the OVH mitigation infrastructure: https://www.ovh.com/fr/anti-ddos/
Regards,
Your OVH Customer Support Mon - Friday: 9am - 6pm (020) 7357 6616 Local call rate. --------------------
I have relays on Digital Ocean as well, and occasionally get the same emails. Notice the contradiction in the email:
"Once the attack subsides, networking will be automatically reestablished to your droplet. The networking restriction is in place for three hours and then removed."
Which one is it? Do you automatically reconnect my node when the attack subsides, or do you just wait three hours? (It's always the latter.)
"Please note that we take this measure only as a last resort when other filtering, routing, and network configuration changes have not been effective in routing around the DDoS attack."
That seems to be disingenuous as well. They have never, ever done anything other than shut of my node for 3 hours. Requests for more information about the nature of the attack go unanswered.
iftop might be better to see
On Tue, Jun 14, 2016 at 8:59 AM, Petrusko petrusko@riseup.net wrote:
Hey,
Little noob question inside :) If possible to learn quickly how to detect a DDOS attack ?
I got Munin running behind, can it be useful with the "netstat" and "firewall throughput" plugins graphs to see it ? So if the server is attacked, I think it will show some big spikes in those graphs...?
Thx ;)
ps: I'll try to find some things about this subject, np!
Le 14/06/2016 07:03, Markus Koch a écrit :
4 of my 5 tor servers are under a incoming DDOS attack. Am I the only one or is anyone else feeling the "love"?
Markus _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Thx all for those useful tools, time to try some ;)
About the main subject, nothing about DDOS on my node... (no mails, no spikes on my graphs)
Thx
Le 14/06/2016 à 19:49, Steven Jones a écrit :
iftop might be better to see
On Tue, Jun 14, 2016 at 8:59 AM, Petrusko <petrusko@riseup.net mailto:petrusko@riseup.net> wrote:
Hey, Little noob question inside :) If possible to learn quickly how to detect a DDOS attack ? I got Munin running behind, can it be useful with the "netstat" and "firewall throughput" plugins graphs to see it ? So if the server is attacked, I think it will show some big spikes in those graphs...? Thx ;) ps: I'll try to find some things about this subject, np! Le 14/06/2016 07:03, Markus Koch a écrit : > 4 of my 5 tor servers are under a incoming DDOS attack. Am I the only > one or is anyone else feeling the "love"? > > Markus > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays -- Petrusko PubKey EBE23AE5 C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5 _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Green Dream -
I -
Markus Koch -
NotRandom Someone -
Petrusko -
Roman Mamedov -
Steven Jones -
Toralf Förster