-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 David Serrano: > First post to this mailing list. I joined the network 3 days ago > with a Via Nehemia system, 1 GHz, 256 Mb RAM, RelayBandwidthRate > 500 KB.
I suspect that'll have the CPU to handle things, but RAM... guess you'll find out! Unsure. > On 2013-10-20 09:42:01 (-0700), Gordon Morehouse wrote: >> >> First, during a SYN flood type overload, some peers which have >> *existing* circuits built through the relay and are sending SYNs >> as normal traffic, will stochastically get "caught" in the filter >> and banned for a short time. If these hosts already have >> circuits open through the relay which is overloaded, I would >> prefer to preserve those circuits rather than break them. My >> defensive strategy versus overload here is to throttle new >> circuit creation requests, *not* to break existing circuits. >> >> So here's the $64,000 question: >> >> If a tor relay has a circuit built through a peer, and the peer >> starts dropping 100% of packets, how long will it take before the >> relay with the circuit "gives up" on the circuit and tears it >> down? I want to set my temp ban time *below* this timeout. >> Thus, unlucky peers that were caught in the filter and have >> circuits already built through the relay they will experience a >> brief performance degradation, but they won't lose their active >> circuits through the overloaded relay, and in the meantime >> hopefully the overload condition is becoming resolved. > > I can think of two approaches to your problem: > > - You can 'iptables -m state --state ESTABLISHED -J ACCEPT' early > in your ruleset, so all existing circuits will be allowed. I > understand this is pretty standard practice and I'm somewhat > surprised that you're not already doing it. Your SYN throttling > would appear later in the ruleset. You could be aggresive at this > point since you know that you won't break any circuit. > > - Besides this, you can 'iptables -p tcp --syn -J SYN_THROTTLE' and > populate a new SYN_THROTTLE chain with your desired rules to tell > peers to calm down. Only SYN packets will enter this chain, the > established circuits won't match this rule and will traverse the > rest of the ruleset unaffected. > > Since I run a new node and discovering this new world I'm somewhat > concerned that once I gain the Stable flag I'll be SYN flooded too > so I'll pay attention to this too. This is greatly helpful, thanks. The reason I've overlooked some obvious things is because I'm an iptables noob. :) If you like, have a look at The Cipollini Project[1], which is essentially a collection of tidbits aiming to eventually be a set of packages that can be distributed or otherwise used to turn very inexpensive and/or low-end boxes into "plug and forget" relays. It'll soon have its own mailing list. 1. https://github.com/gordon-morehouse/cipollini Best, - -Gordon M. -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJSZ10uAAoJED/jpRoe7/uj3o4H/jwcQcYk0Kdiu5QaeucXLPAo LXQdhK688xkqbadrGbFUTnsJyRGI/hZ8sJbNYZDi0iIT4BTALnRFdLaDdyF40txR ow4AYMLLmWNno0wTwn5qgPY8v6nC4cbXpHIBWArxDDBcJfYcYIv7YzM738qyKtRk 4m7elOACQgWcP0YRZNs6ZpQxQ53asrCaVO9yCf9LS/RehJW/XlChvMWfqAOkUKYD fiziX2ZpYd1SrZ8guUNiKfp/8zLojyjO1rknNjRer/51aHub4nADvZm3z9dDMDBJ 6bNEhU01g9ss/TJS9MffRMLRJ2cu2uqb7FNcB6jZmQvQLJDftm5OtV6IsC4PhQY= =dV1H -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
