Re: [tor-relays] Use OutboundBindAddress on multi-instance tor servers
Hi nusenu I'm considering not setting OutboundBindAddress on the dotsrc exit relays ( https://metrics.torproject.org/rs.html#search/dotsrc). Wouldn't it be better if all outgoing connections came from the same IP (i.e do not set OutboundBindAddress), for the sake of making correlation analysis harder? Say you observe an exit connection to example.com:443. If all the dotsrc relays used 185.129.61.1 as src IP, you couldn't tell which of our relays made the connection. On a related note, wrt ongoing ddos, here's something that might be useful to exit relay operators: What we observed, was tens of thousands open exit connections to a few IP (at one point our server had more than 500.000 open connections to those hosts!). To check if you see the same, here's a one liner to show you the endpoints with the largest number of connections from your server: # ss -tn | tr -s ' ' | cut -d' ' -f 5 | sort | uniq -c | sort -nr | head One way to solve this, is to do some firewall foo, but I really don't like connection tracking (unnecessary CPU cycles). An alternative solution that works great for us, is to lower the net.ipv4.ip_local_port_range from the default of about 30.000 ports. E.g: # sysctl -w net.ipv4.ip_local_port_range="64000 65535" This limits the number of connections you can have to a specific dst tuple (IP, Port) to 1.535 connections (and thanks to Tor now setting IP_BIND_ADDRESS_NO_PORT, reaching this limit won't affect any other connections as the same port can be used as src for many different dst IPs). - Anders On Sat, Feb 11, 2023 at 12:12 PM nusenu wrote: > >> multi-instance tor relay > > Can you please describe what that is? > > The subject uses the more correct term 'multi-instance tor server'. > > A single OS running more than one tor relay instance. > > In the context of this email, more specifically running more than 2 tor > relays. > > kind regards, > nusenu > > -- > https://nusenu.github.io > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Use OutboundBindAddress on multi-instance tor servers
Am Wed, 8 Feb 2023 00:08:39 +0100 schrieb nusenu : Hi > multi-instance tor relay Can you please describe what that is? Is it a server with multiple relays, each with it's own fingerprint? Or is it a relay with one fingerprint and with multiple tor daemons that are synced by some magic? pgp4eabIWAe2n.pgp Description: Digitale Signatur von OpenPGP ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] publish current AuthDirMaxServersPerAddr limit?
On Sun, Feb 12, 2023 at 01:08:56PM +0100, Sebastian Hahn wrote: > > On 12. Feb 2023, at 11:46, nusenu wrote: > > would it be possible to publish > > the currently enforced value of AuthDirMaxServersPerAddr > > on some tpo website? Maybe consensus-health.tpo? > > that's a bit hard to do automatically, as the value is currently not > exported by the dirauths. We'd need a feature to include the value in > the votes, then it could be displayed. Not sure if the network team > would work on such a feature, I'd be in favor. Good idea. I've implemented it in my ```ticket40753``` branch, described here: https://gitlab.torproject.org/tpo/core/tor/-/issues/40753 moria1 is including its AuthDirMaxServersPerAddr value in the consensus params section of its vote, which makes its way to this webpage: https://consensus-health.torproject.org/#consensusparams I'm not sure if this is the best possible design (we're sort of blurring the line between what is a ConsensusParam and what isn't), but it should be an easy and safe change at least. :) nusenu: note that once enough dir auths vote this param, they will compute a 'consensus' value for it in put that value in the consensus, but nothing actually looks at or uses that consensus value. --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] HowTo use relayor's Prometheus Integration (relayor v23.1.0)
Hi, relayor v23.1.0 is released. It comes with: * a minor security fix that needs manual intervention * support for more than 2 relays per IP * a major simplification for users of the prometheus integration. * removal of the tor_dedicatedExitIP feature. relayor now implements conf.d support for prometheus. This includes a few backward incompatible changes. Full Changelog: https://github.com/nusenu/ansible-relayor/releases/tag/v23.1.0 With the release I also published this guide that should help users get started with relayor's prometheus integration: https://github.com/nusenu/ansible-relayor/discussions/239 kind regards, nusenu ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] publish current AuthDirMaxServersPerAddr limit?
> On 12. Feb 2023, at 11:46, nusenu wrote: > > Hi, > > would it be possible to publish > the currently enforced value of AuthDirMaxServersPerAddr > on some tpo website? Maybe consensus-health.tpo? > > kind regards, > nusenu Hi nusenu, that's a bit hard to do automatically, as the value is currently not exported by the dirauths. We'd need a feature to include the value in the votes, then it could be displayed. Not sure if the network team would work on such a feature, I'd be in favor. Thanks Sebastian ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] publish current AuthDirMaxServersPerAddr limit?
Hi, would it be possible to publish the currently enforced value of AuthDirMaxServersPerAddr on some tpo website? Maybe consensus-health.tpo? kind regards, nusenu -- https://nusenu.github.io ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays