What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but that sounds suspiciously like someone loaded up an OC-3's worth of traffic and then slammed your node. Ain't no hacker gonna do that. Any indication the ostensible originating IP addresses are faked? -TD

From: Eugen Leitl To: Tyler Durden , cypherpunks@jfet.org Subject: Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out Date: Mon, 1 Aug 2005 17:15:17 +0200

On Mon, Aug 01, 2005 at 10:54:26AM -0400, Tyler Durden wrote:

...

Tor networks, anyone?

Caveat when running Tor on a production machine, I got DDoS'd recently with some ~300 MBit/s. (Yes, my exit policy didn't contain IRC).

-- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

On Mon, 1 Aug 2005, Dan McDonald wrote:

On Mon, Aug 01, 2005 at 01:51:57PM -0400, Tyler Durden wrote:

...

What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but that sounds suspiciously like someone loaded up an OC-3's worth of traffic

300Mbits (using Eugen's quote), is 2xOC-3. (OC-3 carries 155Mbit/sec ATM, but if it's IP/PPP/OC-3 you use more of the 155Mbits/sec).

A couple of hacked university zombie armies can generate that kind of traffic. I'm *not* a telecom guy, but don't most U's have at least an OC-3 out to the backbones today?

I'm surprised that the target node has that much INBOUND bandwidth, quite frankly.

Well, I am a telecom *and* a data guy, and I think I can clear it up :-) First, I suspect that the Tor node did *not* have a 300mbit ingree or egress, which is why the 300mbps was an effective DDoS ;-) Second, as the guy who spent several years being the carrier schmuck on call for these kinds of attacks, a 300mbps attack is a pretty small one. Big enough to knock off the average web site or small ISP, but pretty small from the carrier perspective. He probably knew the sizeof the incoming attack because the voice on the other end of the phone (the carrier schmuck on call) told him how much data he saw coming down the pipe at the target.

Dan

Hopefully that'll clear some of the muddy stuff? -- Yours, J.A. Terranson sysadmin@mfn.org 0xBD4A95BF I like the idea of belief in drug-prohibition as a religion in that it is a strongly held belief based on grossly insufficient evidence and bolstered by faith born of intuitions flowing from the very beliefs they are intended to support. don zweig, M.D.

Actually, I did know that 300Mb/sec isn't super-huge for Denial of Service attacks at least, but this is an "obscure" Tor node. Someone attacking it at this stage in the game has a real agenda (perhaps they want to see if certain websites get disrupted? Does Tor work that way for short-ish periods of time?) At 4Gb/s into the router, I'd guess that router is hooked up to 2 GbEs mapped over a pair of OC-48s (Sounds a lot like the architecture Cisco has sold certain GbE-centered Datapipe providers.) Your attacker might actually be interested in pre-stressing the infrastructure in front of that router. Just a guess, but I'm "stupid" after all. -TD

From: Eugen Leitl To: Dan McDonald , camera_lumina@hotmail.com, cypherpunks@jfet.org Subject: Re: [Clips] Finger points to British intelligence as al-Qaeda websites are wiped out Date: Tue, 2 Aug 2005 10:15:49 +0200

On Mon, Aug 01, 2005 at 05:12:38PM -0400, Dan McDonald wrote:

...

I'm surprised that the target node has that much INBOUND bandwidth, quite frankly.

The node itself has only a Fast Ethernet port, but there's some 4 GBit available outside of the router.

I'm genuinely glad the node has been taken offline as soon as the traffic started coming in in buckets, and I didn't have to foot the entire bill (the whole incident only cost me 20-30 GByte overall as far as I can tell).

-- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

On Mon, Aug 01, 2005 at 01:51:57PM -0400, Tyler Durden wrote:

What?!! 300MB/s for a Tor node? OK, I'm a telecom guy and not a data guy but that sounds suspiciously like someone loaded up an OC-3's worth of traffic and then slammed your node. Ain't no hacker gonna do that. Any indication the ostensible originating IP addresses are faked?

No, it looked like a vanilla DDoS. According to the hoster, I've only seen a small piece of the log, which looked like this: 09:21:54.322650 IP 67.9.36.207 > 213.239.210.243: icmp 09:21:54.322776 IP 218.102.186.215 > 213.239.210.243: icmp 09:21:54.322895 IP 24.242.31.137 > 213.239.210.243: icmp 09:21:54.323017 IP 61.62.83.208 > 213.239.210.243: icmp 09:21:54.323140 IP 68.197.59.153 > 213.239.210.243: icmp 09:21:54.323263 IP 202.138.17.65 > 213.239.210.243: icmp 09:21:54.323375 IP 221.171.34.81 > 213.239.210.243: icmp 1376: echo request seq 23306 09:21:54.323500 IP 150.199.172.221 > 213.239.210.243: icmp 09:21:54.323623 IP 62.150.154.191 > 213.239.210.243: icmp 09:21:54.323741 IP 221.231.54.152 > 213.239.210.243: icmp 09:21:54.323863 IP 222.241.149.165 > 213.239.210.243: icmp 1456: echo request seq 24842 09:21:54.323984 IP 61.81.134.200 > 213.239.210.243: icmp 09:21:54.324105 IP 60.20.101.125 > 213.239.210.243: icmp 09:21:54.324227 IP 219.77.117.204 > 213.239.210.243: icmp 09:21:54.324229 IP 85.98.134.51 > 213.239.210.243: icmp 09:21:54.324355 IP 61.149.3.249 > 213.239.210.243: icmp 09:21:54.324475 IP 218.9.240.32 > 213.239.210.243: icmp 1456: echo request seq 29962 09:21:54.324598 IP 24.115.79.52 > 213.239.210.243: icmp 09:21:54.324720 IP 12.217.75.61 > 213.239.210.243: icmp 09:21:54.324844 IP 202.161.4.210 > 213.239.210.243: icmp 09:21:54.324847 IP 139.4.150.122.14238 > 213.239.209.107.80: R 2598318330:2598318330(0) win 0 09:21:54.324973 IP 211.203.38.29 > 213.239.210.243: icmp 09:21:54.325101 IP 68.74.58.171 > 213.239.210.243: icmp 09:21:54.325240 IP 211.214.159.102 > 213.239.210.243: icmp 09:21:54.325341 IP 221.231.53.52 > 213.239.210.243: icmp 09:21:54.325465 IP 24.20.194.42 > 213.239.210.243: icmp -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]