Hello Folks,
I'm running a relay tor server since several years. Last week (24 Nov) I noticed a high load on the tor server (cpu load 100%). After some investigation i found out that tor causes the high load. After killing the process the load decreases to a normal level, but after restarting the tor process again the load increases again.
Arm log:
Could not open "" for writing: To many open files.
or
Failing because because we have 1017 connections already. Please raise your ulimit -n Tor's file descriptor usage is at 91%. If you run out Tor will be unable to continue functioning.
At first I thought: Fuck, someone intruded into my machine. But after some looking through Arm I found many (>100) INBOUND connections.
After one hour and some iptables tuning the cpu load decreases.
Could the high load caused by an attack on my machine or is this just some small load peak?
Hope for some reply
On 12/03/2014 06:17 PM, webmaster wrote:
At first I thought: Fuck, someone intruded into my machine. But after some looking through Arm I found many (>100) INBOUND connections.
"many" ?
I do have usually something like this : Connections (782 inbound, 458 outbound, 245 exit, 1 control): for and advertised bandwidth of 4 MBit, so >100 are quite normal.
Probably you should raise the ulimit, I do have for da dedicated server (and Gentoo) :
tfoerste@tor-relay ~ $ cat /etc/conf.d/tor # # Set the file limit rc_ulimit="-n 30000"
Am 03.12.2014 um 19:04 schrieb Toralf Förster:
On 12/03/2014 06:17 PM, webmaster wrote:
At first I thought: Fuck, someone intruded into my machine. But after some looking through Arm I found many (>100) INBOUND connections.
"many" ?
I do have usually something like this : Connections (782 inbound, 458 outbound, 245 exit, 1 control): for and advertised bandwidth of 4 MBit, so >100 are quite normal.
Probably you should raise the ulimit, I do have for da dedicated server (and Gentoo) :
tfoerste@tor-relay ~ $ cat /etc/conf.d/tor # # Set the file limit rc_ulimit="-n 30000"
I'm running the server through a relatively slow adsl connection (6,9 MBit/s down, 733 kBit/s up). Advertised Bandwidth: 68.44 kB/s.
My ulimit is set to 1024 (os default). I will keep the ulimit setting at the default value because i see now reason for increasing it.
Actually my server handles 28 inbound, 5 outbound and 14 circuits. The load is approx. 2%.
From my point of view this strange behavior isn't common for my tor
server because usually the cpu load of the tor process is below 10%.
What happens to the tor network when a tor server with high bandwidth goes off-line? Maybe this could be a reason?
Hey bud,
Your adsl connection has a low advertised bandwidth, and doesn't make many connections with regards to tor; thus, the CPU usage is correct. Look up your server's fingerprint or nickname on Tor Globe to see how much of the tor network travels through your server.
CPU load is usually associated with a lot of bandwidth or a inefficiency in the server. I've heard that a 100mbit tor server using full 12.5MB/s up/down will saturate the core dedicated to the Tor process; this is presumably why a lot of servers run multiple Tor instances on different cores and IP addresses. However, in your case, it is likely
The large amount of connections is generally caused by a few things: 1. You've been running a very stable server for a long period of time and have sufficient bandwidth to provide connectivity for a large number of clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will likely result in more connections. This is not likely with your server, given your advertised bandwidth is only 68.44kb/s. 2. A single client is using your server for a lot of connections. 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know if any have been documented.) 4. An attack against your server. This is very hard to do through the Tor network; an attack against a Tor relay using Tor is an attack against all Tor relays. HOWEVER, they could be attacking your port which you use to host your tor server.
Just for reference, here's my tor stats: Advertised B/W: ~4MB/s Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1 control) Tor is averaging 9%-13% CPU usage; 198MB memory.
More info on my server: https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1...
I hope this answered your question, if not, send a reply and hopefully I'll reply sometime.
On Wed, Dec 3, 2014 at 2:22 PM, webmaster webmaster@defcon-cc.dyndns.org wrote:
Am 03.12.2014 um 19:04 schrieb Toralf Förster:
On 12/03/2014 06:17 PM, webmaster wrote:
At first I thought: Fuck, someone intruded into my machine. But after some looking through Arm I found many (>100) INBOUND
connections.
"many" ?
I do have usually something like this : Connections (782 inbound, 458 outbound, 245 exit, 1 control): for and advertised bandwidth of 4 MBit, so >100 are quite normal.
Probably you should raise the ulimit, I do have for da dedicated server
(and Gentoo) :
tfoerste@tor-relay ~ $ cat /etc/conf.d/tor # # Set the file limit rc_ulimit="-n 30000"
I'm running the server through a relatively slow adsl connection (6,9 MBit/s down, 733 kBit/s up). Advertised Bandwidth: 68.44 kB/s.
My ulimit is set to 1024 (os default). I will keep the ulimit setting at the default value because i see now reason for increasing it.
Actually my server handles 28 inbound, 5 outbound and 14 circuits. The load is approx. 2%.
From my point of view this strange behavior isn't common for my tor server because usually the cpu load of the tor process is below 10%.
What happens to the tor network when a tor server with high bandwidth goes off-line? Maybe this could be a reason?
-- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32)
mQENBFHMmT8BCAC0smvU7Bq1ABxAhvBRn7d4ekkk95aCE4TTQo4wy1z/rGLhQfdt dhiD+Vy61vGrsdK3ei5sW6rBvX2m8+YmBi+8AAgSiZmS0JM3Zz3cmTi5oh0D/yM8 4aDj7wQYfJyzSmYN8InAQ5eA77lwIdqG27kR9wga2szeJwCnWReta0R+7YFkpUW+ zUlf4SWcUx5SmBsaiELQpm+Qcn+fyopo12RX6YVmoNPBvN2nDXDnRhUCKGc+0xhD UrBpCHrApK6sTnMsD34ClCLTL2L1gckQ0AsQqY3PJlx3R8kIJxlmr6R3WnjPMIG0 lqrukB9PcOrHM1MZXK1gK6AtypHBN98lr8Z9ABEBAAG0KndlYm1hc3RlciA8d2Vi bWFzdGVyQGRlZmNvbi1jYy5keW5kbnMub3JnPokBPgQTAQIAKAUCUcyZPwIbIwUJ CWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQcN1vxvRQl+0SEwf+KXjf YtiSUSVS11uqeQ/8g46NwmNa91P3toZvEd7vhLSbjnL9bi/vApzNnUTGT3VP4/NA dg9SbR4qKlSr8T+YikRMV3tiuiVq8m7g00qM9y8MIomwJTounz8VdO/aJXFSOxAK Bb6ElREADspCzr2qSZCnozWUzbd+b8owbGeRRq3e33Aa5Nlm/xDRxGDWANbaIA8q Gkibvy3vWEwrxiwsakvHGaEZnPEtlNm3M1xcmFAuyl73qzUMkLN0u9E/2igo4EB5 EdMb5Ab5hfWdljxBqJr0tsvMfSK4VkzMCbKYkTqHZIRPQnhiSBE6Yo1Q6RCl/Hht bkvU4RA0J+NkXMZljrkBDQRRzJk/AQgA0HojJnK0uhEkAnbmszYsf477DV+LD02s ZEAlLGhJlf9qYaDiPMPwaZ3nK8/PYKzPpBWfHgRQP97rLHPIVJYl3BHDa/nWeZ2b e/HzYhpX0djbK9qe6W/CTfGbXmC/y+4dDGB8dvtTAW3JILm7xEdwiWtywozEVy7V lnMK4JQvlfOh+3XO6qv71FXyuRkObvkYzqvxUYHewtvvObcVxXHP0C0O6LB44iAW 2boZVVuiHdudnyNAezJajPMUT8SnI0bwL6+0TgnHL4cKNUEPQljIrrvi+9nCkq7V uBtnsYtyoo2reoxmCbX/Z1zZsxdUcKpeJHlc5AypyN8DUJ+APJ9NnwARAQABiQEl BBgBAgAPBQJRzJk/AhsMBQkJZgGAAAoJEHDdb8b0UJftOY0H/1TChmQrJC/qzefW PK7EqFlBg3TIEXdu8JHjF42ZOgzQRfp7E2wWzEx0Y45lNXMs6Yg15hWCEDaUDF6F 5WZKNrP8xIldyR9Aw7fyKqjZ9UuKovqofHsCiaSO7nWzGM6GF3nBDNI9NcFve/wN wggyjAbohOJrJGal3N0HlG3cakqjEmjBe1gQEMC0ZPlWstb/cqqr49TNPrRmQc4P SyGffh8Xqhw94m1LDBXFEaYe7AxjNk1sPAVfO1rOdLF6GOun/UwgbhDQX/Rb9C3t AhjSgyFEiR/gfrUZ7R6SY51qOUf1lN5ZN85C/x27XoZWYlsNaH3Ei6nG+yeswBMk ZRMbezQ= =Med3 -----END PGP PUBLIC KEY BLOCK-----
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Also, when a Tor relay goes offline, the traffic is redistributed across the Tor network. It is unlikely you would receive the high speed traffic of a node just because it went offline, unless a few HIGHLY unlikely variables occur.
Also, all of the clients will be completely disconnected which were using the Tor server; it is impossible to "re-patch" the connections, given the anonymous nature of Tor.
On Wed, Dec 3, 2014 at 4:07 PM, Austin Bentley ab6d9@mst.edu wrote:
Hey bud,
Your adsl connection has a low advertised bandwidth, and doesn't make many connections with regards to tor; thus, the CPU usage is correct. Look up your server's fingerprint or nickname on Tor Globe to see how much of the tor network travels through your server.
CPU load is usually associated with a lot of bandwidth or a inefficiency in the server. I've heard that a 100mbit tor server using full 12.5MB/s up/down will saturate the core dedicated to the Tor process; this is presumably why a lot of servers run multiple Tor instances on different cores and IP addresses. However, in your case, it is likely
The large amount of connections is generally caused by a few things:
- You've been running a very stable server for a long period of time and
have sufficient bandwidth to provide connectivity for a large number of clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will likely result in more connections. This is not likely with your server, given your advertised bandwidth is only 68.44kb/s. 2. A single client is using your server for a lot of connections. 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know if any have been documented.) 4. An attack against your server. This is very hard to do through the Tor network; an attack against a Tor relay using Tor is an attack against all Tor relays. HOWEVER, they could be attacking your port which you use to host your tor server.
Just for reference, here's my tor stats: Advertised B/W: ~4MB/s Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1 control) Tor is averaging 9%-13% CPU usage; 198MB memory.
More info on my server:
https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1...
I hope this answered your question, if not, send a reply and hopefully I'll reply sometime.
On Wed, Dec 3, 2014 at 2:22 PM, webmaster webmaster@defcon-cc.dyndns.org wrote:
Am 03.12.2014 um 19:04 schrieb Toralf Förster:
On 12/03/2014 06:17 PM, webmaster wrote:
At first I thought: Fuck, someone intruded into my machine. But after some looking through Arm I found many (>100) INBOUND
connections.
"many" ?
I do have usually something like this : Connections (782 inbound, 458 outbound, 245 exit, 1 control): for and advertised bandwidth of 4 MBit, so >100 are quite normal.
Probably you should raise the ulimit, I do have for da dedicated server
(and Gentoo) :
tfoerste@tor-relay ~ $ cat /etc/conf.d/tor # # Set the file limit rc_ulimit="-n 30000"
I'm running the server through a relatively slow adsl connection (6,9 MBit/s down, 733 kBit/s up). Advertised Bandwidth: 68.44 kB/s.
My ulimit is set to 1024 (os default). I will keep the ulimit setting at the default value because i see now reason for increasing it.
Actually my server handles 28 inbound, 5 outbound and 14 circuits. The load is approx. 2%.
From my point of view this strange behavior isn't common for my tor server because usually the cpu load of the tor process is below 10%.
What happens to the tor network when a tor server with high bandwidth goes off-line? Maybe this could be a reason?
-- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.17 (MingW32)
mQENBFHMmT8BCAC0smvU7Bq1ABxAhvBRn7d4ekkk95aCE4TTQo4wy1z/rGLhQfdt dhiD+Vy61vGrsdK3ei5sW6rBvX2m8+YmBi+8AAgSiZmS0JM3Zz3cmTi5oh0D/yM8 4aDj7wQYfJyzSmYN8InAQ5eA77lwIdqG27kR9wga2szeJwCnWReta0R+7YFkpUW+ zUlf4SWcUx5SmBsaiELQpm+Qcn+fyopo12RX6YVmoNPBvN2nDXDnRhUCKGc+0xhD UrBpCHrApK6sTnMsD34ClCLTL2L1gckQ0AsQqY3PJlx3R8kIJxlmr6R3WnjPMIG0 lqrukB9PcOrHM1MZXK1gK6AtypHBN98lr8Z9ABEBAAG0KndlYm1hc3RlciA8d2Vi bWFzdGVyQGRlZmNvbi1jYy5keW5kbnMub3JnPokBPgQTAQIAKAUCUcyZPwIbIwUJ CWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQcN1vxvRQl+0SEwf+KXjf YtiSUSVS11uqeQ/8g46NwmNa91P3toZvEd7vhLSbjnL9bi/vApzNnUTGT3VP4/NA dg9SbR4qKlSr8T+YikRMV3tiuiVq8m7g00qM9y8MIomwJTounz8VdO/aJXFSOxAK Bb6ElREADspCzr2qSZCnozWUzbd+b8owbGeRRq3e33Aa5Nlm/xDRxGDWANbaIA8q Gkibvy3vWEwrxiwsakvHGaEZnPEtlNm3M1xcmFAuyl73qzUMkLN0u9E/2igo4EB5 EdMb5Ab5hfWdljxBqJr0tsvMfSK4VkzMCbKYkTqHZIRPQnhiSBE6Yo1Q6RCl/Hht bkvU4RA0J+NkXMZljrkBDQRRzJk/AQgA0HojJnK0uhEkAnbmszYsf477DV+LD02s ZEAlLGhJlf9qYaDiPMPwaZ3nK8/PYKzPpBWfHgRQP97rLHPIVJYl3BHDa/nWeZ2b e/HzYhpX0djbK9qe6W/CTfGbXmC/y+4dDGB8dvtTAW3JILm7xEdwiWtywozEVy7V lnMK4JQvlfOh+3XO6qv71FXyuRkObvkYzqvxUYHewtvvObcVxXHP0C0O6LB44iAW 2boZVVuiHdudnyNAezJajPMUT8SnI0bwL6+0TgnHL4cKNUEPQljIrrvi+9nCkq7V uBtnsYtyoo2reoxmCbX/Z1zZsxdUcKpeJHlc5AypyN8DUJ+APJ9NnwARAQABiQEl BBgBAgAPBQJRzJk/AhsMBQkJZgGAAAoJEHDdb8b0UJftOY0H/1TChmQrJC/qzefW PK7EqFlBg3TIEXdu8JHjF42ZOgzQRfp7E2wWzEx0Y45lNXMs6Yg15hWCEDaUDF6F 5WZKNrP8xIldyR9Aw7fyKqjZ9UuKovqofHsCiaSO7nWzGM6GF3nBDNI9NcFve/wN wggyjAbohOJrJGal3N0HlG3cakqjEmjBe1gQEMC0ZPlWstb/cqqr49TNPrRmQc4P SyGffh8Xqhw94m1LDBXFEaYe7AxjNk1sPAVfO1rOdLF6GOun/UwgbhDQX/Rb9C3t AhjSgyFEiR/gfrUZ7R6SY51qOUf1lN5ZN85C/x27XoZWYlsNaH3Ei6nG+yeswBMk ZRMbezQ= =Med3 -----END PGP PUBLIC KEY BLOCK-----
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Ok,
i will reject this as a normal behavior of tor. My flags are actually:
HSDir, Running, V2Dir, Valid
To point 2.: Nor, the adresses of the inbound traffic were from different adresses. I thought that it is not possible to force the traffic through a defined route because form my knowledge the route is build by the network. Sometimes I'm using my Tor Server as a Proxy for my local http traffic. I think this is the only case where i can force my route to use my server as a entry node.
Is it possible to flood the tor port directly with for example syn floods?
If yes; is there an iptables rule which will reduce the amount of connection kept in the syn state?
My Tor Info: https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF52...
Thanks for the reply
Hey bud, Your adsl connection has a low advertised bandwidth, and doesn't make many connections with regards to tor; thus, the CPU usage is correct. Look up your server's fingerprint or nickname on Tor Globe to see how much of the tor network travels through your server. CPU load is usually associated with a lot of bandwidth or a inefficiency in the server. I've heard that a 100mbit tor server using full 12.5MB/s up/down will saturate the core dedicated to the Tor process; this is presumably why a lot of servers run multiple Tor instances on different cores and IP addresses. However, in your case, it is likely The large amount of connections is generally caused by a few things:
- You've been running a very stable server for a long period of time and
have sufficient bandwidth to provide connectivity for a large number of clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will likely result in more connections. This is not likely with your server, given your advertised bandwidth is only 68.44kb/s. 2. A single client is using your server for a lot of connections. 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know if any have been documented.) 4. An attack against your server. This is very hard to do through the Tor network; an attack against a Tor relay using Tor is an attack against all Tor relays. HOWEVER, they could be attacking your port which you use to host your tor server. Just for reference, here's my tor stats: Advertised B/W: ~4MB/s Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1 control) Tor is averaging 9%-13% CPU usage; 198MB memory. More info on my server: https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1... https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1... I hope this answered your question, if not, send a reply and hopefully I'll reply sometime.
High system load does not necessarily mean high CPU usage, the CPU could be busy in the "iowait" state waiting for an open file descriptors. I would try increasing your ulimit -n to something like 2048 or 4096. 1024 is probably meant for a normal desktop users, but since you are running a service with multiple incoming and outgoing connections, that is your bottleneck (Tor even tells you so).
For reference I currently have my open file descriptors set to 262144, of about which 45k are being used. The init.d scripts of the debian and ubuntu packages set this to 32768 by default when starting up.
On Thu, Dec 4, 2014 at 7:40 AM, webmaster@defcon-cc.dyndns.org wrote:
Ok,
i will reject this as a normal behavior of tor. My flags are actually:
HSDir, Running, V2Dir, Valid
To point 2.: Nor, the adresses of the inbound traffic were from different adresses. I thought that it is not possible to force the traffic through a defined route because form my knowledge the route is build by the network. Sometimes I'm using my Tor Server as a Proxy for my local http traffic. I think this is the only case where i can force my route to use my server as a entry node.
Is it possible to flood the tor port directly with for example syn floods?
If yes; is there an iptables rule which will reduce the amount of connection kept in the syn state?
My Tor Info:
https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF52...
Thanks for the reply
Hey bud, Your adsl connection has a low advertised bandwidth, and doesn't make
many
connections with regards to tor; thus, the CPU usage is correct. Look up your server's fingerprint or nickname on Tor Globe to see how much of the tor network travels through your server. CPU load is usually associated with a lot of bandwidth or a inefficiency in the server. I've heard that a 100mbit tor server using full 12.5MB/s up/down will saturate the core dedicated to the Tor process; this is presumably why a lot of servers run multiple Tor instances on different cores and IP addresses. However, in your case, it is likely The large amount of connections is generally caused by a few things:
- You've been running a very stable server for a long period of time and
have sufficient bandwidth to provide connectivity for a large number of clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will likely result in more connections. This is not likely with your server, given your advertised bandwidth is only 68.44kb/s. 2. A single client is using your server for a lot of connections. 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know if any have been documented.) 4. An attack against your server. This is very hard to do through the Tor network; an attack against a Tor relay using Tor is an attack against all Tor relays. HOWEVER, they could be attacking your port which you use to host your tor server. Just for reference, here's my tor stats: Advertised B/W: ~4MB/s Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1 control) Tor is averaging 9%-13% CPU usage; 198MB memory. More info on my server:
https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1...
https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1...
I hope this answered your question, if not, send a reply and hopefully I'll reply sometime.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I think you misinterpreted what I was saying or I didn't explain it well enough. Tor utilizing 100% CPU usage is only normal if you are pushing a LOT of bits. In this case, you probably have a system misconfiguration somewhere (nothing to do with Tor's configuration, torrc).
"Nor, the adresses of the inbound traffic were from different adresses."
Yes, that's expected. You're getting connections from the Tor network.
"I thought that it was not possible to force traffic through a specific
predefined route in Tor" It isn't possible. I believe I said so, or implied it. The only way to do this would be through an attack on the Tor network in general.
"Is it possible to flood the tor port directly with for example syn
floods?" Through the Tor network, no, that's impossible. TCP relies on a 3-way-handshake which means that every connection between relays will have to be complete; therefore, in order to connect to your relay, a complete connection will have to be made. I hope this makes sense, if not, I can elaborate a bit more.
However, if someone has a hold of your IP, they can run a portscanner and then determine your relay port (which is on the internet for all to see.) Therefore, you can be attacked, but not through the Tor network.
"If yes; is there an iptables rule which will reduce the amount of
connection kept in the syn state?" First of all, no. And second, that's not how you deal with a SYN flood. If that rule was implemented, it would just be easier to take your port offline.
I highly doubt you are under attack. Almost certainly a misconfiguration of some sort. Have you tried the recommendations that others have given relating to your file descriptors?
On Thu, Dec 4, 2014 at 1:40 AM, webmaster@defcon-cc.dyndns.org wrote:
Ok,
i will reject this as a normal behavior of tor. My flags are actually:
HSDir, Running, V2Dir, Valid
To point 2.: Nor, the adresses of the inbound traffic were from different adresses. I thought that it is not possible to force the traffic through a defined route because form my knowledge the route is build by the network. Sometimes I'm using my Tor Server as a Proxy for my local http traffic. I think this is the only case where i can force my route to use my server as a entry node.
Is it possible to flood the tor port directly with for example syn floods?
If yes; is there an iptables rule which will reduce the amount of connection kept in the syn state?
My Tor Info:
https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF52...
Thanks for the reply
Hey bud, Your adsl connection has a low advertised bandwidth, and doesn't make
many
connections with regards to tor; thus, the CPU usage is correct. Look up your server's fingerprint or nickname on Tor Globe to see how much of the tor network travels through your server. CPU load is usually associated with a lot of bandwidth or a inefficiency in the server. I've heard that a 100mbit tor server using full 12.5MB/s up/down will saturate the core dedicated to the Tor process; this is presumably why a lot of servers run multiple Tor instances on different cores and IP addresses. However, in your case, it is likely The large amount of connections is generally caused by a few things:
- You've been running a very stable server for a long period of time and
have sufficient bandwidth to provide connectivity for a large number of clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will likely result in more connections. This is not likely with your server, given your advertised bandwidth is only 68.44kb/s. 2. A single client is using your server for a lot of connections. 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know if any have been documented.) 4. An attack against your server. This is very hard to do through the Tor network; an attack against a Tor relay using Tor is an attack against all Tor relays. HOWEVER, they could be attacking your port which you use to host your tor server. Just for reference, here's my tor stats: Advertised B/W: ~4MB/s Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1 control) Tor is averaging 9%-13% CPU usage; 198MB memory. More info on my server:
https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1...
https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1...
I hope this answered your question, if not, send a reply and hopefully I'll reply sometime.
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I'm pretty sure what you mean. But as I has written in the conversations before (read the whole) the 100% CPU load occurred only on the 24 Nov for about two hours. After that I haven't monitored such a high load.
I know that an attack through the tor network isn't very unlikely but keep in mind that all relay / entry / exit node real IP addresses are well known and can be fetched from (as example) tor globe.
As a result a syn flooding (maybe with spoofed adresses) to the tor port itself could be possible from my point of view, correct me if I'm wrong.
But I'm not sure if tor will show them as inbound connections because they are not well established.
There is no reason for me to raise the amount of file descriptors at the moment, because the high load still doesn't exists at the moment.
Hope some things are now clearer.
Am 04.12.2014 um 19:53 schrieb Austin Bentley:
I think you misinterpreted what I was saying or I didn't explain it well enough. Tor utilizing 100% CPU usage is only normal if you are pushing a LOT of bits. In this case, you probably have a system misconfiguration somewhere (nothing to do with Tor's configuration, torrc).
"Nor, the adresses of the inbound traffic were from different adresses."
Yes, that's expected. You're getting connections from the Tor network.
"I thought that it was not possible to force traffic through a specific predefined route in Tor"
It isn't possible. I believe I said so, or implied it. The only way to do this would be through an attack on the Tor network in general.
"Is it possible to flood the tor port directly with for example syn floods?"
Through the Tor network, no, that's impossible. TCP relies on a 3-way-handshake which means that every connection between relays will have to be complete; therefore, in order to connect to your relay, a complete connection will have to be made. I hope this makes sense, if not, I can elaborate a bit more. However, if someone has a hold of your IP, they can run a portscanner and then determine your relay port (which is on the internet for all to see.) Therefore, you can be attacked, but not through the Tor network.
"If yes; is there an iptables rule which will reduce the amount of connection kept in the syn state?"
First of all, no. And second, that's not how you deal with a SYN flood. If that rule was implemented, it would just be easier to take your port offline. I highly doubt you are under attack. Almost certainly a misconfiguration of some sort. Have you tried the recommendations that others have given relating to your file descriptors? On Thu, Dec 4, 2014 at 1:40 AM, < mailto:webmaster@defcon-cc.dyndns.org webmaster@defcon-cc.dyndns.org
wrote: Ok, i will reject this as a normal behavior of tor. My flags are actually: HSDir, Running, V2Dir, Valid To point 2.: Nor, the adresses of the inbound traffic were from different adresses. I thought that it is not possible to force the traffic through a defined route because form my knowledge the route is build by the network. Sometimes I'm using my Tor Server as a Proxy for my local http traffic. I think this is the only case where i can force my route to use my server as a entry node. Is it possible to flood the tor port directly with for example syn floods? If yes; is there an iptables rule which will reduce the amount of connection kept in the syn state? My Tor Info: https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF52... https://globe.torproject.org/#/relay/C54E81EB047D7EC1E05B0AC6E723BE1BF5CAF52... Thanks for the reply
Hey bud, Your adsl connection has a low advertised bandwidth, and doesn't make many connections with regards to tor; thus, the CPU usage is correct. Look up your server's fingerprint or nickname on Tor Globe to see how much of the tor network travels through your server. CPU load is usually associated with a lot of bandwidth or a inefficiency in the server. I've heard that a 100mbit tor server using full 12.5MB/s up/down will saturate the core dedicated to the Tor process; this is presumably why a lot of servers run multiple Tor instances on different cores and IP addresses. However, in your case, it is likely The large amount of connections is generally caused by a few things:
- You've been running a very stable server for a long period of time and
have sufficient bandwidth to provide connectivity for a large number of clients; additional flags, such as Guard, HSDir, V2Dir, and Exit will likely result in more connections. This is not likely with your server, given your advertised bandwidth is only 68.44kb/s. 2. A single client is using your server for a lot of connections. 3. An anomaly/attack in the Tor network (somewhat unlikely, I don't know if any have been documented.) 4. An attack against your server. This is very hard to do through the Tor network; an attack against a Tor relay using Tor is an attack against all Tor relays. HOWEVER, they could be attacking your port which you use to host your tor server. Just for reference, here's my tor stats: Advertised B/W: ~4MB/s Connections (555 inbound, 5 outbound, 93 exit, 1 socks, 5 circuit, 1 control) Tor is averaging 9%-13% CPU usage; 198MB memory. More info on my server: https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1... https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1... https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1... https://globe.torproject.org/#/relay/EF84089646304169F439A8F473742D74F027BA1... I hope this answered your question, if not, send a reply and hopefully I'll reply sometime.
tor-relays mailing list mailto:tor-relays@lists.torproject.org tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Is it a server on your LAN? You could launch an attack against it using some tool on one of your other computers. I would put it in a virtual machine just incase it's riddled with a virus.
tor-relays@lists.torproject.org
-
Austin Bentley -
Martin -
Toralf Förster -
webmaster -
webmaster@defcon-cc.dyndns.org