The DoSCircuitCreation/DoSConnection configs are unrelated to what ReevaluateExitPolicy allows. DoSCircuitCreation/DoSConnection are enacted by guards, to protect themselves, and to some extent the rest of the network, from "noisy IPs" trying to connect to Tor. ReevaluateExitPolicy is not a DoS option, it doesn't take any action automatically. It is only useful on exit nodes, and is roughly the equivalent to running the right tcpkill incantation to kill all already established connection to ip/ports not allowed a new ExitPolicy (but that were allowed when these connections were initiated).
On Sat, 10 Aug 2024 at 01:23, George Hartley via tor-relays <tor-relays@lists.torproject.org> wrote: > > Then these must be targeted attacks, as I have never encountered something > like this during 10 years of relay operation under different providers and > aliases. > > Sorry, but the Tor logs that I am seeing suggest that most DoS gets mitigated. > > As far as I know, the concurrent connection (not circuit!) DoS defense is > relatively new, so give the developers some time. > > Also, any default IPTables rule-set should automatically either reject or > just drop connections above a certain threshold. > > All the best, > George > > On Friday, August 9th, 2024 at 8:59 PM, boldsuck <li...@for-privacy.net> > wrote: > > > On Mittwoch, 7. August 2024 14:30:27 CEST George Hartley via tor-relays > > wrote: > > > > > > This is already impossible, as both circuit and concurrent connection DoS > > > both gets detected and the IP in question flagged and blacklisted. > > > > > > > > No. > > DoS has been a topic of conversation at nearly all relay meetings for over 2 > > years. Enkidu and Toralf have developed Tor-ddos IPtables rules for the > > community. Article10 specifically for Tor exits and trinity has developed > > the > > patch. > > > > > https://gitlab.torproject.org/tpo/core/tor/-/issues/40676 > > Roger, Mike, Nick and Perry certainly wouldn't have let Trinity develop the > > feature if the current DoS mitigations in Tor had helped. > > > > > > Please see the manual on this: > > > > > > > https://2019.www.torproject.org/docs/tor-manual.html.en#DoSCircuitCreationEn > > > abled > > > > > > > > This is a client to relay detection only. "auto" means use the consensus > > parameter. (Default: auto) > > It is defined in the consensus: > > https://consensus-health.torproject.org/#consensusparams > > > > > > > Example: 500K connections from IP 1.2.3.4 > > > > > These are numbers from reality and not fantasy. > > AFAIK, Article10 and relayon already had 1,000,000 connections per IP! > > > > > > > > -- > > ╰_╯ Ciao Marco! > > > > > Debian GNU/Linux > > > > > It's free software and it gives you > > freedom!_______________________________________________ > > tor-relays mailing list > > tor-relays@lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays_______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
