[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] DoS attacks are real (probably)

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] DoS attacks are real (probably)
From: Scott Bennett <bennett@xxxxxxx>
Date: Mon, 11 Dec 2017 23:38:31 -0600
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 12 Dec 2017 00:38:59 -0500
In-reply-to: <151301908575.4061.7227161890506032536@pink.alxu.ca>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <151300681974.21961.10028185635782855084@pink.alxu.ca> <5A2EBB52.8040909@quantentunnel.de> <151301908575.4061.7227161890506032536@pink.alxu.ca>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Heirloom mailx 12.5 6/20/10

Alex Xu <alex_y_xu@xxxxxxxx> wrote:

> Quoting Felix (2017-12-11 17:07:30), as excerpted
> > Hi Alex
> > 
> > Great points.
> > 
> > >     conntrack -L -p tcp --dport 9001 | awk '{print $5}' | sort | uniq -c | sort -n
> > 
> > On FreeBSD one can do:
> > 
>
> yeah, the optimal rule would ban "bad IPs" after some threshold of
> connections, like "if one IP makes >1 conn/sec for at least 1 minute ban
> for 1 hour" or something. I'm hoping to fix the underlying issue in Tor
> so that low-bandwidth attacks like these are less effective.

     FWIW, the method that Felix posted should also work in DragonflyBSD
and NetBSD.  It may also work in OpenBSD, but the caveat is that the OpenBSD
project has continued to develop its implementation of pf, so I don't know
whether Felix's solution still works in OpenBSD.  The other three BSDs' pf
support has not been synchronized with that of the originating project
(OpenBSD) for many years.  Perhaps an OpenBSD tor relay operator can comment
here on this matter.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] DoS attacks are real (probably)
  - From: Alex Xu
- Re: [tor-relays] DoS attacks are real (probably)
  - From: Felix
- Re: [tor-relays] DoS attacks are real (probably)
  - From: Alex Xu

Prev by Author: Re: [tor-relays] ISP is aking me to send a selfie holding my identity card
Next by Author: Re: [tor-relays] DoS attacks on multiple relays
Previous by thread: Re: [tor-relays] DoS attacks are real (probably)
Next by thread: Re: [tor-relays] DoS attacks are real (probably)
Index(es):
- Author
- Thread