Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

Mon, 08 Jan 2018 21:34:10 -0800 

> On 6 Jan 2018, at 06:05, Zack Weinberg <za...@cmu.edu> wrote:
> 
>> On Fri, Jan 5, 2018 at 1:44 PM, tor <t...@anondroid.com> wrote:
>> For relay operators using iptables connlimit to mitigate DoS attacks (or 
>> increased load from new clients), is it better for the Tor network to use 
>> "DROP" rules, or should we use something like "REJECT --reject-with 
>> tcp-reset"?
> 
> REJECT is friendlier to clients that are not misbehaving but happen to
> be caught in the crossfire, and to the Internet as a whole.
> 
> I personally think DROP should only ever be used as a desperation
> measure when the DoS load is so high that you can't even afford to
> send RSTs.

I've tried various ways of limiting Tor's RAM and CPU.
MaxAdvertisedBandwidth was effective, as was limiting Tor's file
descriptors and DisableOOSCheck 1. MaxMemInQueues had a minor impact.

So I decided to use a firewall to limit connections.

If I send RST, a Tor client will immediately try another guard.
If I DROP, the Tor client will timeout before trying another guard.

For misbehaving clients, I want to DROP.
For regular clients, I want to RST. (Or let them connect.)

So I want to set a high connection limit, and use DROP.

I see up to 700 connections per IP, and I see normal residential
IP addresses start at around 80. I don't think that clients with more
than 100 connections per IP will get much bandwidth anyway.

I used this command:

netstat -n | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c 
| sort -rn | head

All the connections over 100 were at Hetzner, OVH, and Leaseweb.
(This command gives /16s for IPv6, but these clients aren't
using IPv6.)

So I set up this firewall rule:

/sbin/iptables -A INPUT -p tcp --syn ! --dport 22 -m connlimit 
--connlimit-above 100 -j DROP

You should replace 22 with the list of ports you use for SSH and other
important connections, just in case.

And I installed iptables-persistent to save the rules.
(It might be Debian-specific).

After I set up the firewall, the connections slowly dropped from 700
down to around 100. It only affects new connections, so it might take
a while.

T


--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
------------------------------------------------------------------------

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Reply via email to