[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-relays] blocking >1 connections per ip address onto Tor DirPort
Hi everybody
>>> Does a particular Tor server/client will open more than 1
>>> connection at a time from to the DirPort ?
>> If you're worried about denial of service issues on the DirPort,
>> maybe the simple answer is to turn off the DirPort? I think the
>> only real impact might have something to do with whether old
>> clients believe that you're a usable guard.
> understood - removed those iptables rules
Good discussion. My experience is protecting the dirport makes
sense to avoid ddos attempts.
During my Debian times this rule worked fine for me:
/sbin/iptables -A INPUT -p tcp -d $IPEXT --dport 80 -j ACCEPT
-m limit --limit 5/s --limit-burst 50
On FreeBSB I go with something like:
pass in on $IFEXT inet proto tcp from !<blockDIR> to $IPEXT port 80
flags S/SA keep state (max 150,max-src-states 50,max-src-conn 50,
max-src-conn-rate 20/10,overload <blockDIR>)
# release the blockDIR after some hours
pfctl -t blockDIR -T expire 7200 # hourly cron job
--
Cheers, Felix
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays