> On 6 Jan 2018, at 06:05, Zack Weinberg <za...@cmu.edu> wrote: > >> On Fri, Jan 5, 2018 at 1:44 PM, tor <t...@anondroid.com> wrote: >> For relay operators using iptables connlimit to mitigate DoS attacks (or >> increased load from new clients), is it better for the Tor network to use >> "DROP" rules, or should we use something like "REJECT --reject-with >> tcp-reset"? > > REJECT is friendlier to clients that are not misbehaving but happen to > be caught in the crossfire, and to the Internet as a whole. > > I personally think DROP should only ever be used as a desperation > measure when the DoS load is so high that you can't even afford to > send RSTs.
I've tried various ways of limiting Tor's RAM and CPU. MaxAdvertisedBandwidth was effective, as was limiting Tor's file descriptors and DisableOOSCheck 1. MaxMemInQueues had a minor impact. So I decided to use a firewall to limit connections. If I send RST, a Tor client will immediately try another guard. If I DROP, the Tor client will timeout before trying another guard. For misbehaving clients, I want to DROP. For regular clients, I want to RST. (Or let them connect.) So I want to set a high connection limit, and use DROP. I see up to 700 connections per IP, and I see normal residential IP addresses start at around 80. I don't think that clients with more than 100 connections per IP will get much bandwidth anyway. I used this command: netstat -n | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head All the connections over 100 were at Hetzner, OVH, and Leaseweb. (This command gives /16s for IPv6, but these clients aren't using IPv6.) So I set up this firewall rule: /sbin/iptables -A INPUT -p tcp --syn ! --dport 22 -m connlimit --connlimit-above 100 -j DROP You should replace 22 with the list of ports you use for SSH and other important connections, just in case. And I installed iptables-persistent to save the rules. (It might be Debian-specific). After I set up the firewall, the connections slowly dropped from 700 down to around 100. It only affects new connections, so it might take a while. T -- Tim / teor PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays