On Sun, Nov 9, 2014 at 11:08 AM, Andrea Shepard wrote:

Yes, and that is what it looks like. The strings 'code', 'old' and 'fail' in the URLs seen in nachash's logs were also present as top-level directories on his site, and he apparently had a 404 redirect to his index page - so a buggy crawler might well produce something like the observed pattern. Who would leave an obviously broken crawler producing nothing of interest like that running for such a long time and O(1M) requests, though? An attack designed to look like skiddie bullshit is starting to sound plausible.

coderman: morals of this story: - never assume a crash or DoS is innocuous on the Tor network. - always get packet captures to diagnose trouble! (not just request logs) - "the old tricks, still the best tricks..."

In one of many threads, mine being 'dirty pool', there is forming a good variety of such morals to live by and areas of action to pursue. HS operators banding together to compare the above logs is one of them. You could conceivably throw the logs/pcaps from many relays and onions into a splunk.onion instance and try to mine some knowledge out of them that way. Tor is a jointly owned wide area infrastructure... seems time to apply the traditional net/sec tools to it and see what's up on your own network.