On Mittwoch, 17. August 2022 19:31:48 CEST Logforme wrote:
> I run the relay 8F6A78B1EA917F2BF221E87D14361C050A70CCC3
> 
> I have tried to mitigate the current DoS by implemented connection
> limits in my iptables using Toralf's template: More than 25 connection
> during 10 mins and you end up on my naughty list.
> Lots of connection attempts from the naughty list dropped but still my
> relay gets "overloaded"
> 
> However, I have noticed that a few relays also end up on the naughty
> list, and I wonder how that can happen. My understanding is that a relay
> will only open 1 connection to another relay so should therefore never
> end up on the list. Correct?

10, 20 or more users can have set up the circuits using the same relays.
kantorkel's Article10 relays have more than 100 connections per IP to me.

On my smaller relays I allow 100 connections per IP:
https://privatebin.deblan.org/?b4768471c3c9e7ef#EhDETgMKQRvpL6VwH7ABE3bN2cuM68PRVj3fmmAC8k54

But I can't use that on the big servers because Linux kernel “conntrack” tables 
and nftables sets only have 65535 entries.
See: The dark side of using conntrack
https://blog.cloudflare.com/conntrack-tales-one-thousand-and-one-flows/

> D767979FE4C99D310A46EC49037E9FE7E3F64E9D is a particularly frequent
> naughty boy.
;-)  It is very, very unlikely that there is a naughty relay in AS680.
That relay most likely does DNS-, BW- or network healing test in the Tor 
network.
https://metrics.torproject.org/rs.html#search/as:AS680
(German university or research institutes)

> I guess my real question is if these connections are legit and I'm
> hurting the Tor network by using connection limits?
Yes, never block other relays.
If you think there is somewhere a malicious relay, report it on bad-relay or in 
this list.


-- 
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Reply via email to