thank you for this important release! Nick Mathewson: > o Major features (denial-of-service mitigation): > - Give relays some defenses against the recent network overload. We > start with three defenses (default parameters in parentheses). > First: if a single client address makes too many concurrent > connections (>100), hang up on further connections. Second: if a > single client address makes circuits too quickly (more than 3 per > second, with an allowed burst of 90) while also having too many > connections open (3), refuse new create cells for the next while > (1-2 hours). Third: if a client asks to establish a rendezvous > point to you directly, ignore the request. These defenses can be > manually controlled by new torrc options, but relays will also > take guidance from consensus parameters, so there's no need to > configure anything manually. Implements ticket 24902. Do you advise relay operators against using OutboundBindAddress and OutboundBindAddressExit due to the "is this a relay IP?" check not being able to handle such relays because their outbound IP does not match their OR IP? https://trac.torproject.org/projects/tor/ticket/25193 > It is possible to do "tor-in-tor" meaning a tor client connection can exit > the network and come back at a Guard node. > > And if this happens to be detected by the DoS subsystem, we'll blacklist > the Exit relay for a while. That is *NOT* good. thank you -- https://mastodon.social/@nusenu twitter: @nusenu_
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk