-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Lars Noodén: > On 11/06/2013 01:26 PM, mick wrote: >> I disagree. Dropping all traffic other than that which is >> explicitly required is IMHO a better practice. (And how do you >> know in advance which ports get attacked?) > > Using reject instead of drop simplifies troubleshooting. > > http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject > > Drop tends to get in the way.
I agree with the above document, but on really low-end hardware (hi, I'm the resident Raspberry Pi person ;)), and with consumer routers, REJECT can also cause problems during a Tor SYN flood by consuming resources on both the relay and the router. Since I *do* agree with REJECTing when possible, I do a two-stage approach and only DROP hosts which have proven themselves more aggressive than I can deal with during an overload condition. This saves some resources to keep the relay alive. Best, - -Gordon M. -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJSfHf6AAoJED/jpRoe7/ujyfQH/AyCj4Jh0fhOQn3nRFKibofL C0v7cJ3pzbgQCjaeBGwdCz+EDE4/aJaU4MOFAkv+HnMJbGGu9CpgQms+GVpY3P3T H2tmev4vNQ3dLeylRPlSa/fsXUzQxsGOFSnSMc0FD6tNQGVYljKwRGsLtM0olNee GN8GXLuLuYtoq25gF9ElAoUkDkHPHj5/R2f/3R7czY6S3SxkQs+V2rQ/uXb8VLBj eMNCen+kNU5fhi5MhUcixkgd7ovl8599XUnWlgeEuSzjMsWhJHjv0AfmU9eEEtIJ Sr1jY5ihgOp33ImRBr4/fuzndFI9oSTqChL8eg4ikHxsn8odQvdI9w5cflm4s8I= =IMno -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays