I just recently allowed the directory ports of my relay to be listed and noticed that some IPs are a bit overzealous in connecting to the directory port. As in 108 connections within a minute zealous.
Is this unusual?
Anyone knows the answer? It happened again with another IP establishing 400+ connections to directory port within a minute. Me thinks it was not a good idea to display the directory port.
On 03/10/2014 01:14 PM, Tora Tora Tora wrote:
I just recently allowed the directory ports of my relay to be listed and noticed that some IPs are a bit overzealous in connecting to the directory port. As in 108 connections within a minute zealous.
Is this unusual?
On 03/10/2014 01:14 PM, Tora Tora Tora wrote:
I just recently allowed the directory ports of my relay to be listed and noticed that some IPs are a bit overzealous in connecting to the directory port. As in 108 connections within a minute zealous.
Is this unusual?
I think it is unusual.
Are you just checking the tor log to see this?
Anyone knows the answer? It happened again with another IP establishing 400+ connections to directory port within a minute. Me thinks it was not a good idea to display the directory port.
Maybe try installing some ip blacklist or dynamic firewalling?
rblcheck is a debian package which may be relevant.
Maybe time to do some more research...
Good luck Zenaan
On 03/13/2014 09:37 PM, Zenaan Harkness wrote:
...
I think it is unusual.
Are you just checking the tor log to see this?
OK, so I am being DOSed then.
Maybe try installing some ip blacklist or dynamic firewalling?
rblcheck is a debian package which may be relevant.
Maybe time to do some more research...
Not sure how rblcheck would help in this case: I believe it tracks email abuse only. I used a firewall to take care of it. Will see what comes of it.
On 3/14/14, Tora Tora Tora tor@allthatnet.com wrote:
On 03/13/2014 09:37 PM, Zenaan Harkness wrote:
I think it is unusual.
Are you just checking the tor log to see this?
OK, so I am being DOSed then.
Sorry I can't say, it just doesn't sound right. I've only run a relay for a few weeks, and down the last week.
Good luck Zenaan
What are the IPs connecting to you? I've been watching my firewall logs here recently and see several hosts from several distinct subnets consistently trying to connect to TOR related ports.
On Fri, Mar 14, 2014 at 5:50 AM, I beatthebastards@inbox.com wrote:
One of mine is being DDOSed today. Zenaan Harkness wrote:
I think it is unusual.
Are you just checking the tor log to see this?
OK, so I am being DOSed then.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Not sure I should disclose them in a public forum, but somewhat obfuscated they are:
5.0.137.xx - Syria - 455 connections 66.150.6.xx - Groundspeak, Inc - 108 connections 72.78.110.xx - Verizon - 202 connections 68.101.234.xx - Cox Communications - 51 connections etc.
It seems there were attempts before I even published the directory port (it is default anyway), but I was not identifying the actual connections before, only the count. Why would any IP address need more than one (or several simultaneous) connection is beyond me.
On 03/14/2014 09:48 AM, Greg W wrote:
What are the IPs connecting to you? I've been watching my firewall logs here recently and see several hosts from several distinct subnets consistently trying to connect to TOR related ports.
Those don't match up with any of the weird connections I've been seeing.
*shrugs*
On Fri, Mar 14, 2014 at 11:23 AM, Tora Tora Tora tor@allthatnet.com wrote:
Not sure I should disclose them in a public forum, but somewhat obfuscated they are:
5.0.137.xx - Syria - 455 connections 66.150.6.xx - Groundspeak, Inc - 108 connections 72.78.110.xx - Verizon - 202 connections 68.101.234.xx - Cox Communications - 51 connections etc.
It seems there were attempts before I even published the directory port (it is default anyway), but I was not identifying the actual connections before, only the count. Why would any IP address need more than one (or several simultaneous) connection is beyond me.
On 03/14/2014 09:48 AM, Greg W wrote:
What are the IPs connecting to you? I've been watching my firewall logs here recently and see several hosts from several distinct subnets consistently trying to connect to TOR related ports.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Fri, Mar 14, 2014 at 12:23:50PM -0400, Tora Tora Tora wrote:
Why would any IP address need more than one (or several simultaneous) connection is beyond me.
See https://trac.torproject.org/projects/tor/ticket/9969 for one case.
I wonder if these are clients running Tor versions from back before we did directory fetches tunnelled over the ORPort -- clients from that long ago would launch quite a few requests to the DirPort of various relays, and since we disabled the v2 directory status documents, maybe there's a bug where they keep asking if they don't have anything they like.
--Roger
On 03/14/2014 02:45 PM, Roger Dingledine wrote:
...
See https://trac.torproject.org/projects/tor/ticket/9969 for one case.
I wonder if these are clients running Tor versions from back before we did directory fetches tunnelled over the ORPort -- clients from that long ago would launch quite a few requests to the DirPort of various relays, and since we disabled the v2 directory status documents, maybe there's a bug where they keep asking if they don't have anything they like.
Interesting. I hope it was just a bug. Still 400+ connections a minute on a single Guard relay is a bit annoying.
tor-relays@lists.torproject.org
-
Greg W -
I -
Roger Dingledine -
Tora Tora Tora -
Zenaan Harkness