Hi friends, I made some smaller tweaks over the last few hours which should especially help relays on nearly OOM or thrashing situations (making use of Zswap + MGLRU if available).
The rules themselves are just the same, so no changes there. Merry christmas, Frank ------- Original Message ------- On Sunday, December 4th, 2022 at 11:25 PM, Frank Steinborn <[email protected]> wrote: > > > Hi, > > I want to show you my anti DDoS solution for my relays (aswell ;-). It works > without ipset, but with a mix of the recent and hashlimit iptables modules. > > What is does: > * If one IP address tries to make 7 SYN connection attempts per second, they > are locked out for 300 seconds. If they try another connection in that > timeframe, the timer is reset and they are locked out for another 300 seconds. > * Threre are no more SYNs allowed if 4 connections are already in use to the > ORPort. > > It works very well for me. Other solutons are far more aggressive but I feel > my solution works perfectly against the attacks, even if they are not that > aggresive. > > On top of that, I feel its more easy to implement into ones existing firewall > solution. > > You can find the repo here: https://github.com/steinex/tor-ddos > > Feel free to give it a shot and feedback would be much appreciated! > > Greetings, > steinex _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
