I've noticed a new kind of possible attack on some of my relays, as early as Dec.23 which causes huge spikes of outbound traffic that eventually maxes out RAM and crashes Tor. The newest one today lasted for 5 hours switching between two of the three relays on the same IP.
During the attack, Tor becomes so busy processing the traffic that it becomes unresponsive to new connections for minutes at a time and effectively becomes a zombie exclusively processing the attacker's traffic until it eventually crashes and restarts. The interesting part is that when Tor restarts, it doesn't start from scratch building new circuits but it starts right from where it left out and keeps processing the previous connections. I have tried shutting down Tor for over 5 minutes and within one minute of restart, The RAM maxes out and the outbound traffic reaches the previous heights. This has been happening, not to all relays but to a select group of relays at a time and unless you're monitoring your Tor port from outside, you may not notice it's unresponsive. Another way to see if it's happening to you too is to check your monthly history on the metrics page and look for spikes of written bytes or sudden decrease of read bytes where you see a big gap between the two. I have included charts and excerpts from the log in my post in Tor forum at below link: https://forum.torproject.org/t/new-kind-of-attack/11122 I'd appreciate your insights and comments. Thank you. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays