[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] syn flood iptables rule

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] syn flood iptables rule
From: Toralf Förster <toralf.foerster@xxxxxx>
Date: Mon, 22 Feb 2021 15:27:29 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 22 Feb 2021 09:27:42 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1614004050; bh=Ask+zc5OWeZq/SvahtfAvhimt6KPDf9lWxl7iI3phAw=; h=X-UI-Sender-Class:To:From:Subject:Date; b=Z+LB2+bVdTeiSbeFqpaeG0XtnjO+5nK3QvpOQ9XsUd/CiJcAk9A/JPJohOQVzc1kd PTLB45nT9YfVqSmnY9hqvnxuPuuhoW1vqPVqlDNphhwgNqHIg6vYgVVUqwrmrnqrIQ 6lJULLcYdqZzJc8MNz9L7WjQrPSTy0tOPBG0dRWQ=
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1

The following 3 statements

  # Make sure NEW incoming tcp connections are SYN packets; otherwise
we need to drop them.
  $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

  # DDoS
  $IPT -A INPUT -p tcp -m state --state NEW -m recent --name synflood --set
  $IPT -A INPUT -p tcp -m state --state NEW -m recent --name synflood
--update --seconds 60 --hitcount 10 -j DROP

seems to work and to help here ata fast Tor relay. CPU went down from
109% to 95%. There're 500 connections less than before for a Tor fast relay.

The /proc/net/xt_recent/synflood is quickly filled.
Unfortunately I cannot change the "ip_list_tot" of "xt_recent" b/c I do
use a non-modular kernel. Does anybody knows a circumvention?

Are there any objections against this approach?
--
Toralf
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] syn flood iptables rule
  - From: niftybunny
- Re: [tor-relays] syn flood iptables rule
  - From: Stephen Mollett
- Re: [tor-relays] syn flood iptables rule
  - From: William Kane

Prev by Author: Re: [tor-relays] anyone else getting sync floods from russia?
Next by Author: Re: [tor-relays] Bridge operator iat_mode setting
Previous by thread: Re: [tor-relays] Stable flag and client load
Next by thread: Re: [tor-relays] syn flood iptables rule
Index(es):
- Author
- Thread