-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 krishna e bera: > On 13-10-20 12:42 PM, Gordon Morehouse wrote: >> First, during a SYN flood type overload, some peers which have >> *existing* circuits built through the relay and are sending SYNs >> as normal traffic, will stochastically get "caught" in the filter >> and banned for a short time. If these hosts already have >> circuits open through the relay which is overloaded, I would >> prefer to preserve those circuits rather than break them. My >> defensive strategy versus overload here is to throttle new >> circuit creation requests, *not* to break existing circuits. ... >> If a tor relay has a circuit built through a peer, and the peer >> starts dropping 100% of packets, how long will it take before the >> relay with the circuit "gives up" on the circuit and tears it >> down? I want to set my temp ban time *below* this timeout. >> Thus, unlucky peers that were caught in the filter and have >> circuits already built through the relay they will experience a >> brief performance degradation, but they won't lose their active >> circuits through the overloaded relay, and in the meantime >> hopefully the overload condition is becoming resolved. >> >> Is there such a timeout? There must be. Can someone tell me >> what it is? >> > > Would something like an conntrack-tools help? Maybe it provides > more direct connection control than trying to game the timings. > http://conntrack-tools.netfilter.org/
Probably would, though it might be faster to slink over to tor-dev and ask, get a dev to notice in here (which is what I'm trying to do ;)), or dig through the source code myself - I'm not a C programmer but I can read it okay. > Also, to what extent would/could the Tor network (or a small group > of nodes) count as a "high availability cluster" for entry > firewalling purposes? Would clustering help protect against timing > attacks on relays or hidden services? You mean, if you have a circuit, sending some bytes of I/O over entry node A, some over entry node B, etc? Not quite sure what you're asking. > (I lack expertise or resources to answer any of the above, but > reading Gordon Morehouse's project got me searching and curious.) I'm glad it's doing somebody some good, or taking up time that could've been otherwise wasted on Buzzfeed or something ;) Not that you'd do that. ;) Best, - -Gordon M. -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJSbYaFAAoJED/jpRoe7/ujqNkH/iq89otAE4S6VUmUPrgFlSSg dLisPP6LiAPMT6+dwCJ/Lg+YdHuzOfuq428+fDyel7Aemg6J3kPPBDDnKp1kMbCX 39pM0RFCKRsj6LWQTSsOtFQfTbljDBhkhf/HscLkQv76myRVeA9zqh1mxwUGmpKx EXLC2bBY+tFZeuSx3/7a9IXt4JOSuuBIR+JPQEwigTfHtWSBO/JUuxIWXlVvASqZ 26GHqMeWJm7jPgv3PPt3CbeZpMlufqEZ+RGyCQLXXnNdU5Fs2EUy2C5N4Y9RsL8z 9tGJnEMhm6DQW46kR1bLboW7VrJSHvDPVIHptbfxZg0uDAUaAOFtOADgUWCqmXY= =Wy0W -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays