> On 6 Jan 2018, at 06:05, Zack Weinberg <[email protected]> wrote: > >> On Fri, Jan 5, 2018 at 1:44 PM, tor <[email protected]> wrote: >> For relay operators using iptables connlimit to mitigate DoS attacks (or >> increased load from new clients), is it better for the Tor network to use >> "DROP" rules, or should we use something like "REJECT --reject-with >> tcp-reset"? > > REJECT is friendlier to clients that are not misbehaving but happen to > be caught in the crossfire, and to the Internet as a whole. > > I personally think DROP should only ever be used as a desperation > measure when the DoS load is so high that you can't even afford to > send RSTs.
I've tried various ways of limiting Tor's RAM and CPU.
MaxAdvertisedBandwidth was effective, as was limiting Tor's file
descriptors and DisableOOSCheck 1. MaxMemInQueues had a minor impact.
So I decided to use a firewall to limit connections.
If I send RST, a Tor client will immediately try another guard.
If I DROP, the Tor client will timeout before trying another guard.
For misbehaving clients, I want to DROP.
For regular clients, I want to RST. (Or let them connect.)
So I want to set a high connection limit, and use DROP.
I see up to 700 connections per IP, and I see normal residential
IP addresses start at around 80. I don't think that clients with more
than 100 connections per IP will get much bandwidth anyway.
I used this command:
netstat -n | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c
| sort -rn | head
All the connections over 100 were at Hetzner, OVH, and Leaseweb.
(This command gives /16s for IPv6, but these clients aren't
using IPv6.)
So I set up this firewall rule:
/sbin/iptables -A INPUT -p tcp --syn ! --dport 22 -m connlimit
--connlimit-above 100 -j DROP
You should replace 22 with the list of ports you use for SSH and other
important connections, just in case.
And I installed iptables-persistent to save the rules.
(It might be Debian-specific).
After I set up the firewall, the connections slowly dropped from 700
down to around 100. It only affects new connections, so it might take
a while.
T
--
Tim / teor
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
------------------------------------------------------------------------
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
