[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Putting onion services behind a third-party TCP proxy

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Putting onion services behind a third-party TCP proxy
From: teor <teor@xxxxxxxxxx>
Date: Thu, 15 Aug 2019 09:22:39 +1000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 14 Aug 2019 19:22:58 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1565824963; bh=/HsjDDL92nHRvY8A6BvDKerwKV2T2z3Fk43GSzFSKH0=; h=From:Date:Subject:References:In-Reply-To:To:From; b=mbZDTINvRfK9gm5QlsPaIkKI2tUJ3FFPZRZ7HOpX4DzAuGQ4eAWi4xed8XhtiKpc8 j8Cgzd46sW0w6Ova47K7TAlSLXk3eGipbik5p+2QRmS2yi5kWSJKKYpAKPylHssroa RZYXMJwrh5yTZTfJEmDsL1OWJUWsdu+l78zXM7WE=
In-reply-to: <CAMM-YAP9kQoo6DQWC3F-68ieEXF8ihRf7UuOEGnF5pnfUQL8hg@mail.gmail.com>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAMM-YAP9kQoo6DQWC3F-68ieEXF8ihRf7UuOEGnF5pnfUQL8hg@mail.gmail.com>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi,

On 15 Aug 2019, at 05:10, Pop Chunhapanya <pop@xxxxxxxxxxxxxx> wrote:

When deploying an onion service, I noticed some problem that the ip address of my machine that runs tor daemon is exposed to the Tor network which is vulnerable to the DDoS attack if someone knows my ip address.

You can reject all inbound connections to your onion service using a simple firewall rule. Onion services are tor clients: they only make outbound connections.

So I'm thinking putting the tor daemon behind some third party TCP proxy that will protect me from this kind of DDoS attack.

What do you think if I want to implement a feature that forward all the onion service traffic to the TCP proxy before going to the Tor network?

The protocol that I'm thinking is TCP Proxy Protocol [1]

[1] https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

You could try the existing HTTPSProxy torrc option?

HTTPSProxy host[:port]

Tor will make all its OR (SSL) connections through this host:port (or host:443 if port is not specified), via HTTP CONNECT rather than connecting directly to servers. You may want to set FascistFirewall to restrict the set of ports you might try to connect to, if your HTTPS proxy only allows connecting to certain ports.

Tor also allows an intelligent firewall to filter circuits using a field in haproxy protocol format, see HiddenServiceExportCircuitID for details. But you probably won't need this advanced feature.

T

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Putting onion services behind a third-party TCP proxy
  - From: Pop Chunhapanya

References:
- [tor-dev] Putting onion services behind a third-party TCP proxy
  - From: Pop Chunhapanya

Prev by Author: Re: [tor-dev] Putting onion services behind a third-party TCP proxy
Next by Author: Re: [tor-dev] TBB Memory Allocator choice fingerprint implications
Previous by thread: [tor-dev] Putting onion services behind a third-party TCP proxy
Next by thread: Re: [tor-dev] Putting onion services behind a third-party TCP proxy
Index(es):
- Author
- Thread