Botnet attack? [was: Re: Declining traffic]

2010-04-26 Thread Timo Schoeler 
thus Roger Dingledine spake:
 On Fri, Apr 23, 2010 at 02:35:01PM +0200, Timo Schoeler wrote:
 I'm seeing declining traffic over the last few weeks, please see graph:
 It dropped from a sustainted 2,5Mbps (or more) to about a fifth, with a
 massive drop today.

 I'm running

 tor-0.2.1.25-1.el5.rf

 on a 64Bit CentOS machine. Is there something going in the TOR network?
 
 My first thought is that you updated your openssl rpm in centos, which
 disabled tls renegotiation in yet another new way, and that broke your
 Tor relay. Meaning your relay still worked, but it would only do tls
 renegotiation with other people with centos's particular openssl twist.
 
 Tor 0.2.2.11-alpha fixes the issue we hope:
 - Fix SSL renegotiation behavior on OpenSSL versions like on Centos
   that claim to be earlier than 0.9.8m, but which have in reality
   backported huge swaths of 0.9.8m or 0.9.8n renegotiation
   behavior. Possible fix for some cases of bug 1346.
 
 But we haven't yet put out a stable release that includes that patch.
 
 So if you upgraded to the latest 0.2.2.x-alpha to get the fixes for other
 bugs, you would get the fix for this bug too. Let us know if it works.

Hi,

after installing v0.2.2.13-alpha (git-feb8c1b5f67f2c6f) and downgrading
OpenSSL before this, my setup works again -- somewhat.

When running tor, I see

i) CPU cycles being eaten up by tor almost entirely;

ii) my machine experiences things like those:

TCP: Treason uncloaked! Peer 217.230.25.218:49206/9001 shrinks window
2175675571:2175696065. Repaired.
TCP: Treason uncloaked! Peer 217.230.25.218:49206/9001 shrinks window
2175675571:2175696065. Repaired.
TCP: Treason uncloaked! Peer 217.230.25.218:49206/9001 shrinks window
2175675571:2175696065. Repaired.
TCP: Treason uncloaked! Peer 124.160.123.73:32536/9001 shrinks window
554805076:554806568. Repaired.
TCP: Treason uncloaked! Peer 87.145.230.151:58404/9001 shrinks window
2362284953:2362292307. Repaired.
TCP: Treason uncloaked! Peer 87.145.230.151:58404/9001 shrinks window
2362284953:2362292307. Repaired.
TCP: Treason uncloaked! Peer 87.145.230.151:58404/9001 shrinks window
2362284953:2362292307. Repaired.

One is a chinese dialup, the other ones are from a big German ISP
(Deutsche Telekom AG). For me it really seems as there's some kind of
botnet attack going on.

 --Roger

Timo
***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/

Re: Botnet attack? [was: Re: Declining traffic]

2010-04-26 Thread Flamsmark 
On 26 April 2010 09:59, Timo Schoeler timo.schoe...@riscworks.net wrote:

 When running tor, I see

 i) CPU cycles being eaten up by tor almost entirely;

 ii) my machine experiences things like those:

 One is a chinese dialup, the other ones are from a big German ISP
 (Deutsche Telekom AG). For me it really seems as there's some kind of
 botnet attack going on.

  Timo


What makes you think that this is a botnet attack? What are the
characteristics of a botnet attack, and how do these logs exhibit them? If
there are only a few IP addresses, wouldn't that contraindicate botnet
involvement?
On a loosely related note, it would generally be a good idea to mask IP
addresses on public mailing lists.