No clue what they are doing, but they max out the Exist with 100% CPU load and do not transport a lot of traffic:
https://imgur.com/a/NzpE69B <https://imgur.com/a/NzpE69B> Around 16-21 there should be more traffic and this was DDOS time. I am 100% sure its not bogus traffic just send to my IPs to max out my uplinks, because: https://www.peeringdb.com/net/22652 <https://www.peeringdb.com/net/22652> you need at least 120 gigabit to kill my uplinks. I love dull, I love dull sooooo much. I want to marry dull. nifty > On 25. Aug 2020, at 21:20, Roger Dingledine <a...@torproject.org> wrote: > > On Tue, Aug 25, 2020 at 06:49:01PM +0000, John Ricketts wrote: >> I as well. >> >> On Aug 25, 2020, at 13:45, niftybunny >> <abuse-cont...@to-surf-and-protect.net> wrote: >> >> ?Daily DDOS love the last 14 days ... > > Hi! Can you provide more details? From Nifty's picture it looks like > they are full TCP connections? Do you have a sense of what do they do > when they connect? > > And that would mean that they *aren't* packet-level ddoses, i.e. the > "I fill up your network connection with packets so no other packets can > get through" kind? > > One of the strange things about working with things at the scale of the > Tor network is that sometimes the combined behavior of many Tor processes > can look like a DDoS. For example, maybe all of these connections come > from out-of-date Tors that are now behaving bizarrely since the network > now doesn't work the way their old logic expects. > > We've also seen what looks like DDoS attempts on the directory > authorities, but on closer examination they are some alternative Tor > implementation that is running on many thousands of computers and is > fetching Tor consensus documents in a way that isn't sustainable: > https://gitlab.torproject.org/tpo/core/tor/-/issues/33018 > > There are also apparently some overloading attacks happening on some > popular onion services currently, and I wonder if those are bleeding > over into looking like many connections. Or, as we saw a few years ago > when we added the "ddos defense subsystem" in Tor, the attacks didn't > actually add much load, but it was when the onion services tried to scale > up to tens of thousands of Tors, to be able to respond to every incoming > rendezvous attempt, that those tens of thousands of Tors together looked > like an attack on the network. > > So: the next step would be to try to learn more about what these > connections look like, where they're coming from, what they're doing, etc. > > Also, if more people than just Nifty and John are seeing them. > > Never a dull moment, > --Roger > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
