-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dan Staples: > I am also running on a Pi Model B, 512MB RAM. How are you logging > SYNs?
Ah yes, that's right. You will find all the magic (very pre-alpha at the moment - it's iptables commands in /etc/rc.local) in contrib/90_slowboards as part of Cipollini: https://github.com/gordon-morehouse/cipollini/tree/master/contrib/90_slowboards I wouldn't bother with fail2ban right now, I've turned it off pending some other experiments with total connection limits on the Pi. I have an open story to investigate making it work, right now it's just too slow on the Pi: https://www.pivotaltracker.com/story/show/59590860 So, try the iptables rules, change the ports to your ORPort (and DirPort if any). You'll note that there's a LOG target in there - for me it appears in kern.log. Best, - -Gordon M. > > On Sun 03 Nov 2013 11:25:26 AM EST, Gordon Morehouse wrote: >> ********* *BEGIN ENCRYPTED or SIGNED PART* ********* >> >> Dan Staples: >>> This morning I got my first Tor traffic flood since upgrading >>> to 2.4.x. Logs didn't say anything about not being able to >>> handle the amount of circuit creation requests, but it showed a >>> 200x increase in active TAP circuits (~400k/hour) and the >>> traffic pattern is the same: Advertising 100kb bandwidth, but >>> slammed with ~2Mb traffic. >>> >>> When I saw it, I checked my relay's flags, and it has the >>> stable flag, and has been tagged stable for at least 3 days. >>> It's been up for 7 days. >>> >>> I would love to contribute data to help correlate w/ your >>> findings Gordon. Any metrics or logs that would be particularly >>> helpful? I currently use NTop to measure traffic, but it's not >>> very granular. >> >> I'm still trying to scratch together enough time to analyze the >> logs from the two floods I caught as they began in the past 10 >> days or so. One thing I am logging, which you're definitely not, >> is hosts that send SYNs above the limit on my Raspberry Pi. Are >> you running on a slow machine or a VPS or what? That might not >> apply to you if you're not running on a slow machine - you may >> have no need to limit SYNs or anything else, and that's probably >> the case if your relay did not crash as a result of the flood. >> >> During my last two floods, the relay survived the first (poorly, >> with fail2ban becoming useless and chewing up half the CPU), and >> was headshotted by the second - crash in less than 5 minutes. >> >> I'm looking forward to getting the data together and providing a >> report for the community, but time ... my kingdom for the time to >> do anything beyond work, sleep, eat, sh*t. >> >>> I also currently don't use any iptables rules to throttle, but >>> am happy to experiment with that if you want me to try out any >>> particular configurations. >> >> Depends on the capacity of your hardware. All my experimentation >> has to do with low-end ARM boards, so the logs most useful to the >> report *I* am planning to prepare on these events are logs of SYN >> exceeds, and fail2ban logs. >> >> Thanks very much for staying up to date and offering to >> contribute - there is a real problem someplace, but it seems to >> be mostly a Problem with a capital P for low-end hardware with >> 512MB physical RAM, since those are the relays likely to actually >> crash as a result of the floods. >> >> Best, -Gordon M. >> >> >>> >>> Dan >>> >>> On 11/01/2013 05:30 PM, Gordon Morehouse wrote: >>>> huh, well, near as I can tell, I didn't get Stable for any >>>> time represented yesterday (2013-10-31) for the node >>>> VastCatbox. >>>> >>>> So maybe that theory is incorrect. In that case I don't >>>> know what would trigger the SYN flood behavior other than >>>> Roger's idea about becoming an introducer for a popular HS, >>>> but... eh... seems like a stretch, a node offering 2.5Mbps >>>> that isn't flagged Stable? >>>> >>>> -Gordon >>>> >>>> On Fri, 1 Nov 2013 13:10:17 +0100, David Serrano >>>> <[email protected]> wrote: >>>> >>>>> On 2013-10-31 10:04:02 (-0700), Gordon Morehouse wrote: >>>>>> >>>>>> I can't verify it, but my suspicion is this is happening >>>>>> when I get my Stable flag (I have no idea if I'd gotten >>>>>> it back this morning or not) or shortly thereafter. >>>>> >>>>> You can use >>>>> https://metrics.torproject.org/relay-search.html and enter >>>>> your IP address to figure that out. >>>>> >>>>> >>>>> -- David Serrano GnuPG id: 280A01F9 >>>>> _______________________________________________ tor-relays >>>>> mailing list [email protected] >>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >>>> >>>> >>>> >>>> >>>>> >> >>>>> _______________________________________________ >>>> tor-relays mailing list [email protected] >>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >>>> >>> >> >> >> >> >>>> ********** *END ENCRYPTED or SIGNED PART* ********** >> >> _______________________________________________ tor-relays >> mailing list [email protected] >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >> >> > > > -- http://disman.tl OpenPGP key: http://disman.tl/pgp.asc > Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9 > _______________________________________________ tor-relays mailing > list [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJSdorbAAoJED/jpRoe7/ujShQIAKSCgZPcES7r+4cT5a9wlgBx CRmmkm2aSav1SzIKCd5Gc0ULgVmxv6MaKuDalLEa7lx2rLTc7KbHlBpvRB5RX5dK bl0toAar4VsSxDiQlEcTyWbSD7mzS0ib/WRClfTK1uvluw05VXa8Cq2ZtAokFqqp T1/ZGnm5ClLktIjPvTa8KVPJwfxT8durHtfZanPUXx4tTXmpV+Qz/urL8qtL6bEx dypPnVMhtvLSmO2M29w1BJ0qyix0IyPC4prte650NHn2pIinVgoDf9ccQ1EdKqu3 igCeivxxIEU4d9zOJRwrPzA7yS0gU/X+CNBiTZH/8T3qjJzjDZdTXidTDdHCi7k= =WksD -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
