Delivery-Date: Thu, 27 Nov 2014 04:34:27 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id DAFF61E0457;
	Thu, 27 Nov 2014 04:34:25 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 122EF3198E;
	Thu, 27 Nov 2014 09:34:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id C955231658
 for <tor-talk@lists.torproject.org>; Thu, 27 Nov 2014 09:34:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Pw6SNN79sBXZ for <tor-talk@lists.torproject.org>;
 Thu, 27 Nov 2014 09:34:13 +0000 (UTC)
Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com
 [IPv6:2a00:1450:400c:c00::234])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 6CE79314BD
 for <tor-talk@lists.torproject.org>; Thu, 27 Nov 2014 09:34:13 +0000 (UTC)
Received: by mail-wg0-f52.google.com with SMTP id a1so5925692wgh.25
 for <tor-talk@lists.torproject.org>; Thu, 27 Nov 2014 01:34:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=xLQcIqVPV5LiT6cmalR+ABvAAdJuEw1bop7T96AOygs=;
 b=uh6TsziprUsY191N9WTw05b7ujB7KAm2z3VRNOzk3UymOi7jbfaHnT9ledd791wlRB
 j4az2DR5X6HaOevmXjcl7qhB34i1I++pfvJj5RuNoyfF3/Q0TDyZzOLuyxvpGSrmC/Sq
 wpvg5I1Y5H+oFUKudVkDyGixscjrCxHbqA+8hr2qhfg0bQADeCP6t91Z6NuC75cC0LLG
 DbnXA/bN+DUVFF5CaoY7Rqm/fyrlXBxH0kFLAqvtBVQ6LXTpXZi41CmEfEwPAbjdTKzn
 rRqCcyI3BHZd3umsBPYzuFWesG4dPWgSwmpbMBADPJJ2CtYjjo0kPqXGirxkPhkyA6c4
 Pvvw==
MIME-Version: 1.0
X-Received: by 10.180.78.225 with SMTP id e1mr28803746wix.32.1417080850351;
 Thu, 27 Nov 2014 01:34:10 -0800 (PST)
Received: by 10.217.57.69 with HTTP; Thu, 27 Nov 2014 01:34:10 -0800 (PST)
In-Reply-To: <547698D1.5060603@riseup.net>
References: <547698D1.5060603@riseup.net>
Date: Thu, 27 Nov 2014 04:34:10 -0500
Message-ID: <CAD2Ti2_6d2z6=fC2YyjJm5eu7Cs=WP9ykp5nu-wtLxRMx4Uxzw@mail.gmail.com>
From: grarpamp <grarpamp@gmail.com>
To: tor-talk@lists.torproject.org
Subject: Re: [tor-talk] Isolating a hidden service hit by DDOS
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Wed, Nov 26, 2014 at 10:21 PM, Cyrus <cyrus_the_great@riseup.net> wrote:
> I have a problem involving a shared server hosting many hidden services.
> One of the hidden services is being attacked and this is causing the tor
> daemon to use 100% CPU. I am quite sure the attack is just a DDOS flood.
>
> What I can't seem to figure out is how to isolate which hidden service
> is being attacked so I can disable it. I have tried enabling the info
> log but it doesn't seem to contain the information I need. The debug log
> is a quagmire, and I don't know what to look for.
>
> Please tell me what to search for in the debug log.

If you are unable to use webserver logs to pull the onion from (vhost
by host header or tcp port), or no data is being sent, you could
probably watch control port with:
 usefeature extended_events
 usefeature verbose_names
 setevents circ
And look for lots of PURPOSE=HS* counts by onion.
And similar by descriptor id / onion in debug log,
rend-spec.txt doc in torspec.git may help with that.

Maybe we're golden... :)
btc:1BubrXURMMEtzNNzhifNRpnxwUPANGeSR
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

