#28367: RFE additional DOS mitigations for exits --------------------------+---------------------------------- Reporter: starlight | Owner: (none) Type: enhancement | Status: closed Priority: Medium | Milestone: Tor: unspecified Component: Core Tor/Tor | Version: Tor: unspecified Severity: Normal | Resolution: duplicate Keywords: tor-dos | Actual Points: Parent ID: #24797 | Points: Reviewer: | Sponsor: --------------------------+----------------------------------
Comment (by teor): Replying to [comment:3 starlight]: > An obvious objection to ulimit -n as a control is that this is simplistic with respect to multi-homed systems and may not always result in resilient behavior. Port limits operate with respect to IP addresses rather than at global daemon level. If ulimit -n is saturated, it will not be possible to open new control connections. You can open new control connections if you set ulimit -n to a level your system can handle, and also set `DisableOOSCheck 0`: > > To reduce the number of file handles, use ulimit -n (limit) or the equivalent daemon launcher option. > > > > You may also want to set DisableOOSCheck 0 in your torrc, which causes tor to terminate connections at around 90% of the limit, rather than failing. Replying to [comment:4 starlight]: > Another point to think about is rate limiting of connections. Scanners generally operate by extending a number of circuits to an exit and then rapidly opening streams / edge_connections on each, so an effective way to mitigate this form of behavior is to have a rate limit that curtails or kills circuits that rapidly initiate connections while leaving calmer circuits untouched. The first priority flesh-and-blood users who brows the web can continue unharassed while bots get squelched. You're right: we should work out a way of rate-limiting exit connections as well. Until we do that, I suggest using a firewall to rate-limit the number of new outbound connections. It's not as targeted as inbound connections per IP address, but it will help. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28367#comment:5> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs