On May 20, 2018 10:08:17 UTC, gustavo gfa@zumbi.xyz wrote:

On May 18, 2018 4:25:23 PM UTC, starlight.2017q4 at binnacle.cx wrote:

...

Lately seeing escalating abuse traffic on the relay dirport, now up to 20k rotating source IP addresses per week.

How do you detect it?

FIRST: your relays are not impacted by this issue because DirPort is disabled in their configuration. So you can stop reading here if you like.

Will tor log it in the logs where I can look for it or do you monitor the TCP/IP stack ?

I run two relays (milanese one of them) besides basic OS level monitoring I don't monitor much else.

I wonder if I should monitor more or what to search for in logs (I run my relays without logs since I don't have an use for)

Simply perusing the /var/log/messages log lines for the relay on occasion should be sufficient for most operators. The daemon will complain about many if not all important problems.

----------

For those with DirPort configured, one can check for the problem by looking at the 'state' file with the command

egrep '^BWHistory.*WriteValues' state

and calculating the percent BWHistoryDirWriteValues is relative to BWHistoryWriteValues for the same samples. Should be under 5%, more like 1-3%. If 15% the attacker is harassing your relay.

This particular abuse scenario can be mitigated by applying an 'iptables -m limit' rule set to incoming DirPort connection requests

-or-

by disabling DirPort in the config since clear-text DirPort is no longer required for the Tor network to function properly. Those running FallBack directories should probably send an update to this list if they apply this change as I belive the FallBackDir script excludes relays where ports differ from the whitelist or have changed in OnionOO historical data.