Delivery-Date: Tue, 02 Dec 2014 14:27:21 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.9 required=5.0 tests=BAYES_00,PLING_QUERY,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 64BD21E0C84;
	Tue,  2 Dec 2014 14:27:19 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 3A231291F0;
	Tue,  2 Dec 2014 19:27:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 18BE3291F0
 for <tor-talk@lists.torproject.org>; Tue,  2 Dec 2014 19:27:12 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id PgDBHqy2wWVZ for <tor-talk@lists.torproject.org>;
 Tue,  2 Dec 2014 19:27:12 +0000 (UTC)
Received: from ruggedinbox.com (ruggedinbox.com [94.156.77.238])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id AEABB20914
 for <tor-talk@lists.torproject.org>; Tue,  2 Dec 2014 19:27:11 +0000 (UTC)
Mime-Version: 1.0
Date: Tue, 02 Dec 2014 19:27:04 +0000
From: fuckyouhosting@ruggedinbox.com
To: Mirimir <mirimir@riseup.net>
In-Reply-To: <547D2935.9040808@riseup.net>
References: <d44c9fb94badc9743f9491dc11db52c0@ruggedinbox.com>
 <547BD14E.3060902@gna.org>
 <ae0862eb6ac3ff7fa2798255b2676645@ruggedinbox.com>
 <547C1EE3.7010604@riseup.net>
 <ce591bffa5f5cd607106259789f652b1@ruggedinbox.com>
 <547D2935.9040808@riseup.net>
Message-ID: <5c39d8f9ecd9ac52a55979d6ed0109dc@ruggedinbox.com>
X-Sender: fuckyouhosting@ruggedinbox.com
Cc: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] =?utf-8?q?=28D=29DOS_over_Tor_network_=3F_Help_!?=
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 2014-12-02 02:51, Mirimir wrote:
> On 12/01/2014 03:44 PM, fuckyouhosting@ruggedinbox.com wrote:
>> On 2014-12-01 07:55, Mirimir wrote:
>>> On 12/01/2014 12:13 AM, fuckyouhosting@ruggedinbox.com wrote:
>>>> On 2014-12-01 02:24, Christian Gagneraud wrote:
>>>>> On 01/12/14 14:46, fuckyouhosting@ruggedinbox.com wrote:
>>>>>> Hi List! We (try to) maintain a free hosting platform for hidden
>>>>>> service
>>>>>> websites, here: http://fuckyouhotwkd3xh.onion
>>>>>> but recently all the hosted hidden services became unreachable.
>>>>> [...]
>>>>>> So .. question: is there a way to understand which hidden service 
>>>>>> is
>>>>>> causing all this ?
>>>>>> 
>>>>>> Suggestions are welcome!
>>>>> 
>>>>> This might help:
>>>>> https://lists.torproject.org/pipermail/tor-talk/2014-November/035787.html
>>>>> 
>>>>> 
>>>>> Chris
>>>>> 
>>>>>> 
>>>>>> Thank you.
>>>> 
>>>> Hi again, ok we followed the advise and captured a number of 
>>>> sessions,
>>>> while starting Tor and while reloading it, several times to be sure.
>>>> 
>>>> We splitted and sorted the results with this command:
>>>> grep "PURPOSE=HS" dbg3.txt|awk '{ print $9 }'| sort |less
>>>> (which print just the hidden service name, for example
>>>> REND_QUERY=fuckyouhotwkd3xh)
>>>> but are unable to find an address repeated more than around 30 
>>>> times,
>>>> example:
>>>> 
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> REND_QUERY=fuckyouhotwkd3xh
>>>> 
>>>> in short, the addresses are balanced among all the files, still 
>>>> unable
>>>> to find the 'black sheep'.
>>> 
>>> In your torrc, create a new test hidden service, and comment out all 
>>> of
>>> the rest. The new hidden service should be accessible. If it's not, 
>>> you
>>> have other problems. If the new hidden service is accessible, add 
>>> back
>>> the old ones, one at a time, and check accessibility of the test 
>>> hidden
>>> service after each addition. That should reveal the black sheep.
>> 
>> Hi, thanks for the suggestion but we were looking for a more
>> 'programmatic' way: a straight indication about the offending HS, 
>> which
>> eventually can be used by fail2ban or a custom script
>> to automatically switch off the black sheeps.
>> 
>> Moreover, consider that we are talking about hundreds of hidden 
>> services ..
> 
> Upon reflection, I get that I was misguided. Commenting out a hidden
> service wouldn't stop a DoS attack through your tor process. The 
> fastest
> way would be to configure all of the hidden services through a second
> tor process, and wait for the directories to update. Then move them
> back, one by one. The process could be scripted, but it would still 
> take
> a long time to do properly, given how long it takes the tor network to
> respond to changes.
> 
> Maybe it would be better to run many tor instances, and put fewer 
> hidden
> services on each instance. That way, one black sheep wouldn't take down
> everything. Also, segregating the tor processes and hidden services in
> multiple VMs would be more secure, albeit heavier.


Hi, thanks for the suggestion, we thought about the same solutions, but 
they are very cumbersome / unsure / expensive.

Our opinion is that if you provide a feature (Tor hidden services)
and having many hidden services on a single Tor instance is supported,
you _must_ provide the tools to debug / monitor / audit.

Perhaps the new implementation of the hidden services will be better ? 
How is it going ?

Or perhaps we can contact a Tor developer ? Anyone listening and willing 
to dig into this ?

We have the feeling that the commands 'usefeature extended_events + 
usefeature verbose_names + setevents circ' on the Tor control port was a 
step in the right direction
and maybe something else must be enabled
or we have to look for different log events.

Thanks for your help!
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

