Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
> On 16 Aug 2017, at 14:22, tor wrote: > > > Note that most clients use the ORPort for fetching directory stuff, and > > that's heading towards "all clients" as people upgrade and stop using weird > > configurations. > > > If you're worried about denial of service issues on the DirPort, maybe the > > simple answer is to turn off the DirPort? I think the only real impact might > > have something to do with whether old clients believe that you're a usable > > guard. > > What about fallback directory mirrors? > Does fallback traffic go over the ORPort too? Bootstrapping clients always use the ORPort to talk to fallbacks. (Both features were introduced in 0.2.8.) Bootstrapping relays use the DirPort to talk to fallbacks. > Is it safe to disable the DirPort on a fallback relay? If you disable the DirPort, the fallback will be excluded when we next rebuild the list. We are working on ORPort-only fallbacks, but it's low priority, because the existing system works. To make it work, we need to: #18856: teach stem to talk ORPort so we can check the fallback, and #19129: modify the fallback checking script to allow ORPort-only fallbacks T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org signature.asc Description: Message signed with OpenPGP ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] blocking >1 connections per ip address onto Tor DirPort
Hi everybody >>> Does a particular Tor server/client will open more than 1 >>> connection at a time from to the DirPort ? >> If you're worried about denial of service issues on the DirPort, >> maybe the simple answer is to turn off the DirPort? I think the >> only real impact might have something to do with whether old >> clients believe that you're a usable guard. > understood - removed those iptables rules Good discussion. My experience is protecting the dirport makes sense to avoid ddos attempts. During my Debian times this rule worked fine for me: /sbin/iptables -A INPUT -p tcp -d $IPEXT --dport 80 -j ACCEPT -m limit --limit 5/s --limit-burst 50 On FreeBSB I go with something like: pass in on $IFEXT inet proto tcp from ! to $IPEXT port 80 flags S/SA keep state (max 150,max-src-states 50,max-src-conn 50, max-src-conn-rate 20/10,overload ) # release the blockDIR after some hours pfctl -t blockDIR -T expire 7200 # hourly cron job -- Cheers, Felix ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/16/2017 12:22 AM, Roger Dingledine wrote: > On Tue, Aug 15, 2017 at 11:52:31PM +0200, Toralf Förster wrote: >> Does a particular Tor server/client will open more than 1 >> connection at a time from to the DirPort ? > > I think we definitely want to support that in the protocol. > > I'm not sure whether it happens right now, but it might. > > But preventing it from happening is likely bad. > > Note that most clients use the ORPort for fetching directory > stuff, and that's heading towards "all clients" as people upgrade > and stop using weird configurations. So the DirPort is mainly used > on authorities (by relays that fetch dir stuff or upload relay > descriptors), and by auxiliary tools like stem and the various > metrics project scripts. > > If you're worried about denial of service issues on the DirPort, > maybe the simple answer is to turn off the DirPort? I think the > only real impact might have something to do with whether old > clients believe that you're a usable guard. > understood - removed those iptables rules - -- Toralf PGP C4EACDDE 0076E94E -BEGIN PGP SIGNATURE- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZR6CxccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTgNjAP0QUqGlvZdmppzthH85VXkS43xO iQRyNlODzRe5Jf9TpgD+JX+/bCuuOH/qh+Jdd9GrDBJZ9uvjtQX3OKF9C+u9oKo= =9bQM -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
> Note that most clients use the ORPort for fetching directory stuff, and > that's heading towards "all clients" as people upgrade and stop using weird > configurations. > If you're worried about denial of service issues on the DirPort, maybe the > simple answer is to turn off the DirPort? I think the only real impact might > have something to do with whether old clients believe that you're a usable > guard. What about fallback directory mirrors? Does fallback traffic go over the ORPort too? Is it safe to disable the DirPort on a fallback relay?___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
On Tue, 15 Aug 2017 23:52:31 +, Toralf Förster wrote: ... > Does a particular Tor server/client will open more than 1 connection at a > time from to the DirPort ? Even if not per se, multiple (old) clients behind a common NAT may do so. Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds Date: Fri, 22 Jan 2010 07:29:21 -0800 ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
The “normal” classification of DDOS is more than 25 packets/sec to your server/vps. You could check if it is a smurf attack or x-mas or whatever, but normally you will be null routed with 250k+ or the (hopefully) good anti DDOS hardware of the ISP will kick in. Markus “Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.” ― Terry Pratchett, Snuff > On 16. Aug 2017, at 01:16, eric gisse wrote: > > Just out of curiosity, do DoS attacks against dirports even happen? > > My server gets nailed by what my host thinks is a DOS every now and > then but I'm yet to get details. > > Does anyone have a good idea on how I would be able to classify > traffic as an attack rather than normal "shitloads of traffic" ? > > On Tue, Aug 15, 2017 at 5:22 PM, Roger Dingledine wrote: >> On Tue, Aug 15, 2017 at 11:52:31PM +0200, Toralf Förster wrote: >>> Does a particular Tor server/client will open more than 1 connection >>> at a time from to the DirPort ? >> >> I think we definitely want to support that in the protocol. >> >> I'm not sure whether it happens right now, but it might. >> >> But preventing it from happening is likely bad. >> >> Note that most clients use the ORPort for fetching directory stuff, >> and that's heading towards "all clients" as people upgrade and stop >> using weird configurations. So the DirPort is mainly used on authorities >> (by relays that fetch dir stuff or upload relay descriptors), and by >> auxiliary tools like stem and the various metrics project scripts. >> >> If you're worried about denial of service issues on the DirPort, maybe >> the simple answer is to turn off the DirPort? I think the only real >> impact might have something to do with whether old clients believe that >> you're a usable guard. >> >> --Roger >> >> ___ >> tor-relays mailing list >> tor-relays@lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
Just out of curiosity, do DoS attacks against dirports even happen? My server gets nailed by what my host thinks is a DOS every now and then but I'm yet to get details. Does anyone have a good idea on how I would be able to classify traffic as an attack rather than normal "shitloads of traffic" ? On Tue, Aug 15, 2017 at 5:22 PM, Roger Dingledine wrote: > On Tue, Aug 15, 2017 at 11:52:31PM +0200, Toralf Förster wrote: >> Does a particular Tor server/client will open more than 1 connection >>at a time from to the DirPort ? > > I think we definitely want to support that in the protocol. > > I'm not sure whether it happens right now, but it might. > > But preventing it from happening is likely bad. > > Note that most clients use the ORPort for fetching directory stuff, > and that's heading towards "all clients" as people upgrade and stop > using weird configurations. So the DirPort is mainly used on authorities > (by relays that fetch dir stuff or upload relay descriptors), and by > auxiliary tools like stem and the various metrics project scripts. > > If you're worried about denial of service issues on the DirPort, maybe > the simple answer is to turn off the DirPort? I think the only real > impact might have something to do with whether old clients believe that > you're a usable guard. > > --Roger > > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
On Tue, Aug 15, 2017 at 11:52:31PM +0200, Toralf Förster wrote: > Does a particular Tor server/client will open more than 1 connection >at a time from to the DirPort ? I think we definitely want to support that in the protocol. I'm not sure whether it happens right now, but it might. But preventing it from happening is likely bad. Note that most clients use the ORPort for fetching directory stuff, and that's heading towards "all clients" as people upgrade and stop using weird configurations. So the DirPort is mainly used on authorities (by relays that fetch dir stuff or upload relay descriptors), and by auxiliary tools like stem and the various metrics project scripts. If you're worried about denial of service issues on the DirPort, maybe the simple answer is to turn off the DirPort? I think the only real impact might have something to do with whether old clients believe that you're a usable guard. --Roger ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/15/2017 11:37 PM, tor wrote: > > Tor also provides the directory service on the same port (unless you > have it disabled). How do you know limiting the connections doesn't > impact the directory service? > Does a particular Tor server/client will open more than 1 connection at a time from to the DirPort ? - -- Toralf PGP C4EACDDE 0076E94E -BEGIN PGP SIGNATURE- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZNtHxccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTg97AP9cdcrZPz+bhuqv38YXAXGBIdFZ SN7EBXIpSnRuP7j8kAD/bA5hd/Fm3ZFDkfwi+uNI8h1CN++lbGhcBChtFgu+Drk= =BPpX -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
@Toralf > Tor serves the "DirPortFrontPage /etc/tor/tor-exit-notice_DE.html" at that > port > and I'd like to avoid a slow responsive Tor due to a DDoS at that port. Tor also provides the directory service on the same port (unless you have it disabled). How do you know limiting the connections doesn't impact the directory service?___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 08/15/2017 10:57 PM, Nagaev Boris wrote: > Hey > > I am just curious: why is it needed to block >1 connections per ip > address onto Tor DirPort? Tor serves the "DirPortFrontPage /etc/tor/tor-exit-notice_DE.html" at that port and I'd like to avoid a slow responsive Tor due to a DDoS at that port. - -- Toralf PGP C4EACDDE 0076E94E -BEGIN PGP SIGNATURE- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZNn7xccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTgGuAQCGHFf0hjWZiMz4yWWgP/Xl/5bd /q0eCkWFwmxhb0ksFAD/cPZUw8DAOHGM1vdlhZqnWpqX/Rb8AgU14nVcb9p0Kb0= =xGHs -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] blocking >1 connections per ip address onto Tor DirPort
On Tue, Aug 15, 2017 at 2:08 PM, Toralf Förster wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > I do have the following iptables rule here : > > # Tor > # > dirport=80 > orport=443 > > $IPT -A INPUT -p tcp --destination-port $dirport --match conntrack > --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j > DROP > $IPT -A INPUT -p tcp --destination-port $orport --match conntrack > --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j > DROP > > > which seems to work fine. An > > $> ip6tables -nvL > > gives > > 14110 746K DROP tcp -- * * 0.0.0.0/00.0.0.0/0 >tcp dpt:80 ctstate NEW #conn src/32 > 1 > 230K 14M DROP tcp -- * * 0.0.0.0/00.0.0.0/0 >tcp dpt:443 ctstate NEW #conn src/32 > 1 > > after few days so I do just like to ask here if the rules above are fine or > if I overllooked something ? > > - -- > Toralf > PGP C4EACDDE 0076E94E > -BEGIN PGP SIGNATURE- > > iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZM4sxccdG9yYWxmLmZv > ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTqnGAQCPr7gkpaxRD3spzKp49l53A2H0 > YOzXrw8G8vR8BtHZPQD+NE4Zhf7Y0w0JtKqy6E5bSowikeSJsKSDur8zxO+kf8E= > =UPak > -END PGP SIGNATURE- > ___ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays Hey I am just curious: why is it needed to block >1 connections per ip address onto Tor DirPort? -- Best regards, Boris Nagaev ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] blocking >1 connections per ip address onto Tor DirPort
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I do have the following iptables rule here : # Tor # dirport=80 orport=443 $IPT -A INPUT -p tcp --destination-port $dirport --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP $IPT -A INPUT -p tcp --destination-port $orport --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP which seems to work fine. An $> ip6tables -nvL gives 14110 746K DROP tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:80 ctstate NEW #conn src/32 > 1 230K 14M DROP tcp -- * * 0.0.0.0/00.0.0.0/0 tcp dpt:443 ctstate NEW #conn src/32 > 1 after few days so I do just like to ask here if the rules above are fine or if I overllooked something ? - -- Toralf PGP C4EACDDE 0076E94E -BEGIN PGP SIGNATURE- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZM4sxccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTqnGAQCPr7gkpaxRD3spzKp49l53A2H0 YOzXrw8G8vR8BtHZPQD+NE4Zhf7Y0w0JtKqy6E5bSowikeSJsKSDur8zxO+kf8E= =UPak -END PGP SIGNATURE- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays