Re: [tor-dev] Putting onion services behind a third-party TCP proxy
On 8/14/19, Pop Chunhapanya wrote: > When deploying an onion service ... the ip address > of my machine ... is exposed to the Tor network... > DDoS ... if someone knows my ip address. Only your tor client, and your guard, knows your ip. Unless you're up against a malicious guard, that's not a problem, and if you are, firewalling doesn't help anything there because you can't prevent a real "DDoS" or any other modulation from partitioning or otherwise giving away your onion. Tor cannot defend against that class of attack. Note that in a proper "onion only" configuration, a box should have no inbound ports open. There is something confusing with your wording. If these replies don't help, please rephrase your question. And or sanitize and post your torrc config and invocation commandline. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Putting onion services behind a third-party TCP proxy
Hi, > On 15 Aug 2019, at 05:10, Pop Chunhapanya wrote: > > When deploying an onion service, I noticed some problem that the ip address > of my machine that runs tor daemon is exposed to the Tor network which is > vulnerable to the DDoS attack if someone knows my ip address. You can reject all inbound connections to your onion service using a simple firewall rule. Onion services are tor clients: they only make outbound connections. > So I'm thinking putting the tor daemon behind some third party TCP proxy that > will protect me from this kind of DDoS attack. > > What do you think if I want to implement a feature that forward all the onion > service traffic to the TCP proxy before going to the Tor network? > > The protocol that I'm thinking is TCP Proxy Protocol [1] > > [1] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt You could try the existing HTTPSProxy torrc option? HTTPSProxy host[:port] Tor will make all its OR (SSL) connections through this host:port (or host:443 if port is not specified), via HTTP CONNECT rather than connecting directly to servers. You may want to set FascistFirewall to restrict the set of ports you might try to connect to, if your HTTPS proxy only allows connecting to certain ports. Tor also allows an intelligent firewall to filter circuits using a field in haproxy protocol format, see HiddenServiceExportCircuitID for details. But you probably won't need this advanced feature. T ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] Putting onion services behind a third-party TCP proxy
Hi all, When deploying an onion service, I noticed some problem that the ip address of my machine that runs tor daemon is exposed to the Tor network which is vulnerable to the DDoS attack if someone knows my ip address. So I'm thinking putting the tor daemon behind some third party TCP proxy that will protect me from this kind of DDoS attack. What do you think if I want to implement a feature that forward all the onion service traffic to the TCP proxy before going to the Tor network? The protocol that I'm thinking is TCP Proxy Protocol [1] [1] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev