[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Tor DDoS Mitigation iptables scripts update. Version 4.0.1



Hi Andres,

Not at all. That's how I'm running my own relays. Just run the
**combined.sh** on each individual VM and you'll be fine.

As for the ORPort, yes, I agree. There are ways to read the torrc file
and set the ORPort automatically. I will incorporate that into the
scripts in future versions. My original intention was to put something
simple together with minimum complexity that anyone with little or no
expertise can understand and modify if necessary without breaking the code.

I've also set up a [Discussion
Board](https://github.com/Enkidu-6/tor-ddos/discussions) for the
repository on github in case you have any questions, suggestions or
simply need further help.


On 12/1/2022 11:57 AM, Anders Trier Olesen wrote:
> Hi Chris
>
> We run all the 12 dotsrc relays on a single host with many IP
> addresses. Would we need to change anything?
>
> Btw, you can make the scripts find the all the OR ports by running
> something like ‘ss -pl | grep tor’.
>
> - Anders
>
> tor. 1. dec. 2022 kl. 09.02 skrev Chris <tor@xxxxxxxxxxxxxxx
> <mailto:tor@xxxxxxxxxxxxxxx>>:
>
>     Background:
>
>     A set of bash scripts used to apply iptables rules to fight the
>     current
>     DDoS attacks. They require no dependencies to install except
>     iptable/nftables which all Linux flavors already have and require no
>     particular expertise. The issue was discussed here:
>
>     [issue
>     40093](https://gitlab.torproject.org/tpo/community/support/-/issues/40093)
>
>     Change log:
>
>     Some modifications due to a change in the nature of the attacks.
>
>     - Re ordered rules for more efficiency and reducing the load
>     - Removed the hashlimit rule as it puts more load on the system
>     with not
>     much overall benefit as the attackers have adapted to it and it
>     reduces
>     the size of the block list.
>     - Reduce the number of allowed concurrent connections to 2 if
>     you're not
>     a relay.
>     - Use of remove.sh cron script at regular intervals (optional)
>     will give
>     relays a chance to create up to 4 connections if they need to.
>     ******- Created a new cron file **refresh-authorities.sh** to refresh
>     your allow-list with the most up to date IP addresses for the
>     authorities and snowflake. Should be run daily.
>     - Removed an unnecessary line in the update files.
>     - Modified Readme.MD file to reflect new changes.
>
>     The new modifications have been tested for two weeks now and the
>     systems
>     are running smoothly with no ill effect.
>
>     You can read more and download here:
>
>     [Enkidu-6 tor-ddos on Github](https://github.com/Enkidu-6/tor-ddos)
>
>     To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is
>     recommended.
>
>     P.S.
>     The NumCPUs option is unfortunately poorly documented. It really has
>     nothing to do with the number of CPUs you have. It's about the
>     number of
>     worker threads Tor will create to deal with decryption of
>     onionskins. So
>     you can have two CPUs and still set NumCPUs to 16.
>
>
>     _______________________________________________
>     tor-relays mailing list
>     tor-relays@xxxxxxxxxxxxxxxxxxxx
>     <mailto:tor-relays@xxxxxxxxxxxxxxxxxxxx>
>     https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays