[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: any middlemen seeing DoS currently?



On Fri, Nov 07, 2008 at 10:23:02PM +0100, Dominik Schaefer wrote:
> Hans Schnehl schrieb:
> > you  may set the timeout values in pf.conf to rather low values.
> > Actually I start wondering if larger values are of any use anyway.
> > maybe like:
> > -----------------------------
> > set timeout interval 2
> > set timeout frag 5  
> > set timeout tcp.first 5
> > set timeout tcp.opening 5
> > set timeout tcp.established 600
> > set timeout tcp.closing 5 
> > set timeout tcp.finwait 3
> > set timeout tcp.closed 5
> > ------------------------------
> If I am not mistaken (don't know pf), this will terminate all idle connections
> after 600s.

Correct. 


> That means that your Tor relay will at least loose idle exit
> connections (maybe even circuits?) which are still valid. This is especially
> bad for people using long-lived connection to instant messaging services, IRC,
> and others for which Tor prefers relays with the stable flag. If your relay
> has that flag, it may be worth to keep that in mind.


Thanks for bringing this up, these values are _not_ useful under normal 
circumstances. These settings will, under  conditions like  mentioned
in this threat, reduce the number of states in pf's table.

As soon as the state tables reach their upper limit no further
connections are accepted until the number drops under the limit again.
It is the choice of having useless states or trying to get rid of unused
connections rather fast in order to provide access for 'real' connections.
It reduced the number of states by 20% within an hour or so on vallenator.

AFAIK this present situation  will take some more time until the 
new certificate is through. _Until then_ , these 'emergency response  
settings' may be helpful if using pf ;)

Hans