Re: [tor-relays] Performance issues/DoS from outgoing Exit connections
> Toralf Förster hat am 22.10.2022 22:40 CEST > geschrieben: > > IMO a "reload tor" is fully sufficient and should be preferrred over > "restart", or ? A "reload" will update the ExitPolicy, but not drain existing connections very quickly, at least on our servers. Feel free to use whatever your preferred command/script is, though. Kind regards, Alexander ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Performance issues/DoS from outgoing Exit connections
On Samstag, 22. Oktober 2022 22:40:38 CEST Toralf Förster wrote: > On 10/21/22 22:09, Alexander Dietrich wrote: > > This is still experimental, so if you decide to give the script a try, > > please keep an eye on it. > > IMO a "reload tor" is fully sufficient and should be preferrred over > "restart", or ? > > Years ago I wrote a bash script, which created for an ip to be blocked > just an own file. Such a file can be easily removed and then tor > reloaded to unblock that ip ;) Just tested because Applied Privacy and I have the problem that the exit policy rules do not work with some IPs¹. Last night at 10pm: IP 79.137.192.228 had 500k connections. Added the IP to the exit policy and reloaded tor. Policy in that order: ExitPolicy reject 79.137.192.228/32:* ExitPolicy reject *:22 ExitPolicy reject *:25 ExitPolicy accept *:* 12 hours later the IP still has over 100k connections. -> systemctl restart tor 1 hour later the IP has 0 connections :-) ¹https://gitlab.torproject.org/tpo/core/tor/-/issues/40676 -- ╰_╯ Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom! signature.asc Description: This is a digitally signed message part. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Performance issues/DoS from outgoing Exit connections
On 10/21/22 22:09, Alexander Dietrich wrote: This is still experimental, so if you decide to give the script a try, please keep an eye on it. IMO a "reload tor" is fully sufficient and should be preferrred over "restart", or ? Years ago I wrote a bash script, which created for an ip to be blocked just an own file. Such a file can be easily removed and then tor reloaded to unblock that ip ;) -- Toralf ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Performance issues/DoS from outgoing Exit connections
Hello, on the evening of 2022-10-18, we (Artikel10) started getting alerts about our Tor servers, while our traffic declined sharply. When we investigated, we found that there were hundreds of thousands of TCP connections (per server) open to a single address, orders of magnitude more than any other address. We blocked this address via "ExitPolicy reject", then another one, and since then things seem to have improved. I have thrown together a small Python script to detect this and generate "ExitPolicy reject" lines automatically: https://github.com/artikel10/surgeprotector This is still experimental, so if you decide to give the script a try, please keep an eye on it. Kind regards, Alexander -- PGP Key: https://dietrich.cx/pgp | 0x52FA4EE1722D54EB___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays