On Thu, Aug 18, 2022 at 06:19:06PM +0200, [email protected] wrote: > On Mittwoch, 17. August 2022 19:31:48 CEST Logforme wrote: > > I run the relay 8F6A78B1EA917F2BF221E87D14361C050A70CCC3 > > > > I have tried to mitigate the current DoS by implemented connection > > limits in my iptables using Toralf's template: More than 25 connection > > during 10 mins and you end up on my naughty list. > > Lots of connection attempts from the naughty list dropped but still my > > relay gets "overloaded" > > > > However, I have noticed that a few relays also end up on the naughty > > list, and I wonder how that can happen. My understanding is that a relay > > will only open 1 connection to another relay so should therefore never > > end up on the list. Correct? > > 10, 20 or more users can have set up the circuits using the same relays. > kantorkel's Article10 relays have more than 100 connections per IP to me. > > On my smaller relays I allow 100 connections per IP: > https://privatebin.deblan.org/?b4768471c3c9e7ef#EhDETgMKQRvpL6VwH7ABE3bN2cuM68PRVj3fmmAC8k54 > > But I can't use that on the big servers because Linux kernel “conntrack” > tables and nftables sets only have 65535 entries. > See: The dark side of using conntrack > https://blog.cloudflare.com/conntrack-tales-one-thousand-and-one-flows/ >
Is your 65535 limit self-imposed? I'm running a server, that is not Tor related, on Linux where I was hitting conntrack table limits so I increased the limit by setting net.nf_conntrack_max=500000 since I have memory to spare. As far as I'm aware, there is no hard limit in the kernel as long as you have memory for it. > > D767979FE4C99D310A46EC49037E9FE7E3F64E9D is a particularly frequent > > naughty boy. > ;-) It is very, very unlikely that there is a naughty relay in AS680. > That relay most likely does DNS-, BW- or network healing test in the Tor > network. > https://metrics.torproject.org/rs.html#search/as:AS680 > (German university or research institutes) > > > I guess my real question is if these connections are legit and I'm > > hurting the Tor network by using connection limits? > Yes, never block other relays. > If you think there is somewhere a malicious relay, report it on bad-relay or > in this list. > > > -- > ╰_╯ Ciao Marco! > > Debian GNU/Linux > > It's free software and it gives you freedom! > _______________________________________________ > tor-relays mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
