[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Reapply exit policy on reload

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Reapply exit policy on reload
From: George Hartley via tor-relays <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 09 Aug 2024 22:58:29 +0000
Cc: George Hartley <hartley_george@xxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 09 Aug 2024 19:23:45 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1723245818; bh=5/LBz88ukCv2NAEWdKpU2gPqk/1WfaaQuTZ1w4AgRHk=; h=Date:To:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=eA7I9W7XuxcEv/l8lFrKYdKJozz3l4/tFX2yyVkQVo77t3Vt+MIVMsB7Xw0UUqs9w 05lyW3naWH3PJlHvtfFaRsnq0uLuSiNDqGKRbhta5W24d918XolWwRZoQgXbQioOYD XskWHoFYtGl+FvgTDVu3TLxwJz70bjhyC36HJZt0tsfqb5VGvf+KEV9FNST04x6VoB xn6PVgQ1O4SNTjktr6vSTCSmgWYOfq/wKHH447fDIdlv/jOm4J0hYf9HjZHPhAPKKm cQIiTan/Sna760OsIfvlarw4JzkWNEImNFpLrza7bp8ft7s5xNJpiJLpSqVHIPeElS AVa80yNLkSjQA==
Feedback-id: 68993610:user:proton
In-reply-to: <2033009.atdPhlSkOF@t520>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <2201117.GUh0CODmnK@t520> <10743372.nUPlyArG6x@w530> <svuhCiJ2WY85XkXdRhdsYnjEZ3T8RnjmwdTwImkb75RASYVbf8t-UEXLBDiTeMxHGJkyQR6DRsy1mw-0U8wFVCP2NP0BIU12DulBsqXh7-c=@proton.me> <2033009.atdPhlSkOF@t520>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Then these must be targeted attacks, as I have never encountered something like this during 10 years of relay operation under different providers and aliases.

Sorry, but the Tor logs that I am seeing suggest that most DoS gets mitigated.

As far as I know, the concurrent connection (not circuit!) DoS defense is relatively new, so give the developers some time.

Also, any default IPTables rule-set should automatically either reject or just drop connections above a certain threshold.

All the best,
George

On Friday, August 9th, 2024 at 8:59 PM, boldsuck <lists@xxxxxxxxxxxxxxx> wrote:

> On Mittwoch, 7. August 2024 14:30:27 CEST George Hartley via tor-relays wrote:
> 

> > This is already impossible, as both circuit and concurrent connection DoS
> > both gets detected and the IP in question flagged and blacklisted.
> 

> 

> No.
> DoS has been a topic of conversation at nearly all relay meetings for over 2
> years. Enkidu and Toralf have developed Tor-ddos IPtables rules for the
> community. Article10 specifically for Tor exits and trinity has developed the
> patch.
> 

> https://gitlab.torproject.org/tpo/core/tor/-/issues/40676
> Roger, Mike, Nick and Perry certainly wouldn't have let Trinity develop the
> feature if the current DoS mitigations in Tor had helped.
> 

> > Please see the manual on this:
> > 

> > https://2019.www.torproject.org/docs/tor-manual.html.en#DoSCircuitCreationEn
> > abled
> 

> 

> This is a client to relay detection only. "auto" means use the consensus
> parameter. (Default: auto)
> It is defined in the consensus:
> https://consensus-health.torproject.org/#consensusparams
> 

> > > Example: 500K connections from IP 1.2.3.4
> 

> These are numbers from reality and not fantasy.
> AFAIK, Article10 and relayon already had 1,000,000 connections per IP!
> 

> 

> --
> ╰_╯ Ciao Marco!
> 

> Debian GNU/Linux
> 

> It's free software and it gives you freedom!_______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Attachment: publickey - hartley_george@proton.me - 0xAEE8E00F.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Reapply exit policy on reload
  - From: Toralf Förster via tor-relays
- Re: [tor-relays] Reapply exit policy on reload
  - From: lists
- Re: [tor-relays] Reapply exit policy on reload
  - From: trinity pointard

References:
- Re: [tor-relays] Reapply exit policy on reload
  - From: lists
- Re: [tor-relays] Reapply exit policy on reload
  - From: George Hartley via tor-relays
- Re: [tor-relays] Reapply exit policy on reload
  - From: boldsuck

Prev by Author: Re: [tor-relays] a couple noob questions
Next by Author: Re: [tor-relays] Reapply exit policy on reload
Previous by thread: Re: [tor-relays] Reapply exit policy on reload
Next by thread: Re: [tor-relays] Reapply exit policy on reload
Index(es):
- Author
- Thread