If you've been running the tor daemon for the last year or so, you've likely experienced several outages and maybe even spotted reports of a compression bomb left in the logs. In fact i've seen other people report having to disable their daemon for a week for a week or so. Previously, for me it was easy enough to grep the logs for the offending node sending compression bombs and blacklisting it.
This morning though, i was faced with at least a dozen malicious nodes clogging the network, so i did what any self-respecting operator would do: I inserted a longrun into my s6 service pipeline, to automatically scan the logs for compression bomb incidents and heal itself by appending the offending node to a blacklist file, that is included within torrc. I'm posting this while my daemon is still under attack, so i would definitely deem this a success.
My script currently runs as root, which is not ideal, but completely appropriate for the privileges involved in restarting services and editing system-wide config files. I others may benefit from my method, thus the run file of the service is reproduced below:
#!/bin/execlineb -P
forstdin -E line
foreground {
echo $line
}
if {
heredoc 0 $line
fgrep "Unable to decompress HTTP body"
}
foreground {
backtick -E ip {
heredoc 0 $line
grep -c "[0-9]\.[0-9]\.[0-9]\.[0-9]"
}
redirfd 1 -a /etc/tor/bombs
echo ExcludeNodes $ip
}
s6-svc -r /run/service/tor