Re: [tor-relays] DoS attack on Tor exit relay
Can we have your fail2ban scripts for the OR port? The jail and rules? Gerry -Original Message- From: tor-relays On Behalf Of teor Sent: 01 August 2019 00:28 To: tor-relays@lists.torproject.org Subject: Re: [tor-relays] DoS attack on Tor exit relay Hi, > On 1 Aug 2019, at 02:27, Larry Brandt wrote: > > Yes, I have fail2ban installed but the attack is focused on my ORPort 9001. Similarly, I have an external firewall but it permits 9001 port passage. If you're trying to prevent too many connections, you can adjust the DoS torrc options: DoSConnectionEnabled 1 DoSConnectionMaxConcurrentCount 1 DoSConnectionDefenseType 2 If that works, try adjusting DoSConnectionMaxConcurrentCount a bit higher: 10 or 25 are good values. T -- teor -- ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Measuring the Accuracy of Tor Relays' Advertised Bandwidths
> On Jul 30, 2019, at 2:02 PM, Michael Gerstacker > wrote: > > Hi! > > Good to hear that you guys try to solve the problem of slow measured relays. > For example when i measure my relay > > 40108FDFA40EDB013F7291F3B4DA3D412ED3A5EF > > with the speedtest from tele2 i get about 90 MiB download and about 50 MiB > upload but Tor measures it with about 15 MiB. > Some of my relays are measured very accurate but other ones are measured with > only about 1/5 of what my results are. > Cool, I hope my experiment yields good results for your relay. > I read the sbws documentation about how the measuring process is working and > i am curious about how the experiment is measuring relays. > > if possible please publish a little more info about the experiment or at > least the results somewhere. > Thanks Note that I am not using sbws for this experiment, but rather a custom measurement process. The plan is to use multiple Tor clients to create multiple sockets to the target relay, and then each client will extend a circuit through the target and then back to one of a set of relays running on the same machine as the client. I'm hoping the use of multiple sockets will help mitigate the effects of packet loss. The results will be published when possible, after they have been analyzed and understood. Peace, love, and positivity, Rob ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Measuring the Accuracy of Tor Relays' Advertised Bandwidths
Hi again, > On 2 Aug 2019, at 08:18, Rob Jansen wrote: > >> On Jul 31, 2019, at 7:34 PM, teor wrote: >> >> Can you define "goodput"? > > Application-level throughput, i.e., bytes transferred in packet payloads but > not counting packet headers or retransmissions. In our case I mean the number > of bytes that Tor reports in the BW controller event. > >> How is it different to the bandwidth reported by a standard speed test? > > I believe that iperf also reports goodput as defined above. > >> How is it different to the bandwidth measured by sbws? > > I am not an expert on sbws, but I believe it also measures goodput. > >> Where is your server? > > West coast US. > >> How do you expect the location of your server to affect your results? > > I expect that the packet loss that occurs between my measurement machine and > the target may limit the goodput I am able to achieve, and packet loss tends > to occur more frequently on links with higher latency. Tor's stream window also limits the goodput of a single stream. The in-flight bandwidth is limited to 500 cells * 498 RELAY_DATA cell goodput bytes = 243 kBytes > I plan to use multiple sockets (as standard speed testing tools like iperf > do) and multiple circuits to try to mitigate the effects. Good. sbws only uses one stream at a time, and its streams are open for 5-10 seconds. > Note that this is meant to be a fairly simple experiment, not a complete > measurement system. Of course I won't be able to measure more than the > bandwidth capacity of my measurement machine, but many relays already carry > significant load so I'll just be giving them a boost. Sounds like a useful experiment. If using multiple circuits for 20 seconds makes a significant difference to some relays, we should consider changing sbws to: * use multiple circuits, * use 2 streams per circuit (to fill each circuit window), and * run each test for 20 seconds. Or we could modify the relay bandwidth self-test to: * use significantly more bandwidth, and try to find the bandwidth limit for each relay, and * run each test for 20 seconds. (The relay bandwidth self-test uses DROP cells on multiple circuits, so stream windows don't apply.) T ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Measuring the Accuracy of Tor Relays' Advertised Bandwidths
> On Jul 31, 2019, at 7:34 PM, teor wrote: > > Hi Rob, > Hey there! > Can you define "goodput"? Application-level throughput, i.e., bytes transferred in packet payloads but not counting packet headers or retransmissions. In our case I mean the number of bytes that Tor reports in the BW controller event. > How is it different to the bandwidth reported by a standard speed test? I believe that iperf also reports goodput as defined above. > How is it different to the bandwidth measured by sbws? I am not an expert on sbws, but I believe it also measures goodput. > Where is your server? West coast US. > How do you expect the location of your server to affect your results? I expect that the packet loss that occurs between my measurement machine and the target may limit the goodput I am able to achieve, and packet loss tends to occur more frequently on links with higher latency. I plan to use multiple sockets (as standard speed testing tools like iperf do) and multiple circuits to try to mitigate the effects. Note that this is meant to be a fairly simple experiment, not a complete measurement system. Of course I won't be able to measure more than the bandwidth capacity of my measurement machine, but many relays already carry significant load so I'll just be giving them a boost. Peace, love, and positivity, Rob ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays