[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: any middlemen seeing DoS currently?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: any middlemen seeing DoS currently?
From: Hans Schnehl <torvallenator@xxxxxxxxx>
Date: Fri, 7 Nov 2008 23:48:31 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Fri, 07 Nov 2008 17:49:20 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:subject :message-id:references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=XqGsjvOi5x4DytoWbHn9yQ+oyFpskFzIzw6WSyiHu68=; b=W2zbpNKzcZBlGTwsiKN8OmJB9jlGx5VQN/QsjQiiqoV1ZRPNGVWLkeuNQ1dfcQJpkk yyCjnjtNbC1Z4dW38mjuy0wjPHuVFrzkWdX3ZVnvgHVJxk5hfr1Ujh4qPVlSn1b8SubI 739X9TZ8mRBgvuD//LfRpNhfuUvV22mJ/qMXE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=XosZdJhUtNSoFkytX8Jonh5DcX0shlKC/+HXclQ5X+OCEfjHd32OnigGCHZWd+V/wd V02cS7gygn06lJtNdfnyXyP+d8oIX1ayJMPOSoMwE+ny/OeZOvHgSvSIecoWMQzRlGx6 PWBamDPg68nVcfMyA9q3x9TUpRLikVRqWU3yY=
In-reply-to: <4914B1B6.50007@xxxxxx>
References: <20081107123828.GK11544@xxxxxxxxx> <49143E48.3060700@xxxxxxxxxxxx> <20081107134947.GM11544@xxxxxxxxx> <20081107160216.GB8838@tabulara> <4914B1B6.50007@xxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17)

On Fri, Nov 07, 2008 at 10:23:02PM +0100, Dominik Schaefer wrote:
> Hans Schnehl schrieb:
> > you  may set the timeout values in pf.conf to rather low values.
> > Actually I start wondering if larger values are of any use anyway.
> > maybe like:
> > -----------------------------
> > set timeout interval 2
> > set timeout frag 5  
> > set timeout tcp.first 5
> > set timeout tcp.opening 5
> > set timeout tcp.established 600
> > set timeout tcp.closing 5 
> > set timeout tcp.finwait 3
> > set timeout tcp.closed 5
> > ------------------------------
> If I am not mistaken (don't know pf), this will terminate all idle connections
> after 600s.

Correct. 

> That means that your Tor relay will at least loose idle exit
> connections (maybe even circuits?) which are still valid. This is especially
> bad for people using long-lived connection to instant messaging services, IRC,
> and others for which Tor prefers relays with the stable flag. If your relay
> has that flag, it may be worth to keep that in mind.

Thanks for bringing this up, these values are _not_ useful under normal 
circumstances. These settings will, under  conditions like  mentioned
in this threat, reduce the number of states in pf's table.

As soon as the state tables reach their upper limit no further
connections are accepted until the number drops under the limit again.
It is the choice of having useless states or trying to get rid of unused
connections rather fast in order to provide access for 'real' connections.
It reduced the number of states by 20% within an hour or so on vallenator.

AFAIK this present situation  will take some more time until the 
new certificate is through. _Until then_ , these 'emergency response  
settings' may be helpful if using pf ;)

Hans

References:
- any middlemen seeing DoS currently?
  - From: Eugen Leitl
- Re: any middlemen seeing DoS currently?
  - From: Olaf Selke
- Re: any middlemen seeing DoS currently?
  - From: Eugen Leitl
- Re: any middlemen seeing DoS currently?
  - From: Hans Schnehl
- Re: any middlemen seeing DoS currently?
  - From: Dominik Schaefer

Prev by Author: Re: any middlemen seeing DoS currently?
Next by Author: Re: DoS attack
Previous by thread: Re: any middlemen seeing DoS currently?
Next by thread: Re: any middlemen seeing DoS currently?
Index(es):
- Author
- Thread