Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
digitalcourage.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Diese Instanz wird betrieben von Digitalcourage e.V. für die Allgemeinheit. Damit wir das nachhaltig tun können, erheben wir einen jährlichen Vorausbeitrag von 1€/Monat per SEPA-Lastschrifteinzug.

Administered by:

Server stats:

817
active users

digitalcourage.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

AS 396507

Our exit relays are down, we suspect some manner of remote attack. The hardware itself appears offline.

Due to our co-location’s key card access changes, we are not able to get in to perform resets. Working on regaining access to our colo. We’d have remote hands reset them, but we’d like to assess the state and any possible kernel logs.

Our bridge relays are unaffected, they are on different hardware. The attacker’s appear to have been targeting exit relays.

Since we do not log network data, we cannot perform investigations into the attacker.

Feb 21, 2024, 08:34 PM·Public·Ivory for iOS
5boosts·8favorites
Public
AS 396507

all 40 of our exit relays are back online this evening. we visited the datacenter and found the servers completely frozen.

on a positive note, all three of our Epyc HPEs have been upgraded to 128GB of RAM!

we'll be bumping up each server's relay count to 30 soon (currently 20 each). one of them has been out of service for a while, we'll be getting it back up with relays too, for a total of 90 exit relays.


Linux "htop" output showing tor processes, CPU count, and total RAM
Public
Unredacted

@EmeraldOnion we experienced an attack on our exit relays in the past few days. Our hardware isn’t offline though. It was a large 40Gb/s flood that seemed to utilize the relays themselves.

Public
Unredacted

@EmeraldOnion to be more clear, the malicious users were likely making requests that then returned large amounts of data. No proof either way though. Could have also been a reflection attack.

Public
Unredacted

@EmeraldOnion See infosec.exchange/@rene_mobile/ which might be related.

Infosec ExchangeRené Mayrhofer :verified: 🇺🇦 🇹🇼 (@rene_mobile@infosec.exchange)I have a brief story to tell: Earlier this week, a large DDoS attack against 2 out of our larger set of #Tor (@torproject@mastodon.social) relays - which also act as stable HSDir nodes - has managed to partially interrupt Internet traffic for the whole #JKULinz. While the attack was not huge compared to others (peak traffic around 3-4 Gbit/s, well above 1M PPS), we suspect either a nation state actor or fairly well-funded organization for 3 reasons: * The attack was more advanced than simply saturating the upstream with bandwidth/packets, but had proper handshakes with the Tor relays, trying to cause resource exhaustion on the application level (we have seen this pattern multiple times in the last 6+ months, but this one was much more massive in terms of incoming packets). * The attack was very targeted, affecting only 2 IPs out of 25, consistently over some time. This indicates that either the position in the HSDir or specific connections or hidden services that were relayed over those nodes were the target - but note that these are only guesses, we don't have hard data on the motivation of this targeting. * The only motivations that come to mind are either de-anonymization attacks or take-downs of particular hidden services. These do not seem to be relevant for usual ransom DDoS botnet attackers, but more for political reasons. We have some flow data and would be interested in doing more analysis. Any ideas or correlation with other data on Tor relay attacks welcome :) CC @GossiTheDog@cyberplace.social
ExploreLive feeds
About