I am very well aware of that and how it works, I have seen your commit that got merged, and am a C/C++ programmer as well. Nevertheless, this is a feature I wanted anyway, so I could just reload the config and block IP's or even ranges if SSH range / portscans are done using my exit. Right now I reject 22 exits fully, but this might change soon thanks to your patch. Thank you for your contribution :) George On Saturday, August 10th, 2024 at 12:48 PM, trinity pointard <trinity.pointard@xxxxxxxxx> wrote: > The DoSCircuitCreation/DoSConnection configs are unrelated to what > ReevaluateExitPolicy allows. > DoSCircuitCreation/DoSConnection are enacted by guards, to protect > themselves, and to some extent the rest of the network, from "noisy > IPs" trying to connect to Tor. > ReevaluateExitPolicy is not a DoS option, it doesn't take any action > automatically. It is only useful on exit nodes, and is roughly the > equivalent to running the right tcpkill incantation to kill all > already established connection to ip/ports not allowed a new > ExitPolicy (but that were allowed when these connections were > initiated). > > On Sat, 10 Aug 2024 at 01:23, George Hartley via tor-relays > tor-relays@xxxxxxxxxxxxxxxxxxxx wrote: > > > Then these must be targeted attacks, as I have never encountered something like this during 10 years of relay operation under different providers and aliases. > > > > Sorry, but the Tor logs that I am seeing suggest that most DoS gets mitigated. > > > > As far as I know, the concurrent connection (not circuit!) DoS defense is relatively new, so give the developers some time. > > > > Also, any default IPTables rule-set should automatically either reject or just drop connections above a certain threshold. > > > > All the best, > > George > > > > On Friday, August 9th, 2024 at 8:59 PM, boldsuck lists@xxxxxxxxxxxxxxx wrote: > > > > > On Mittwoch, 7. August 2024 14:30:27 CEST George Hartley via tor-relays wrote: > > > > > > This is already impossible, as both circuit and concurrent connection DoS > > > > both gets detected and the IP in question flagged and blacklisted. > > > > > No. > > > DoS has been a topic of conversation at nearly all relay meetings for over 2 > > > years. Enkidu and Toralf have developed Tor-ddos IPtables rules for the > > > community. Article10 specifically for Tor exits and trinity has developed the > > > patch. > > > > > https://gitlab.torproject.org/tpo/core/tor/-/issues/40676 > > > Roger, Mike, Nick and Perry certainly wouldn't have let Trinity develop the > > > feature if the current DoS mitigations in Tor had helped. > > > > > > Please see the manual on this: > > > > > > https://2019.www.torproject.org/docs/tor-manual.html.en#DoSCircuitCreationEn > > > > abled > > > > > This is a client to relay detection only. "auto" means use the consensus > > > parameter. (Default: auto) > > > It is defined in the consensus: > > > https://consensus-health.torproject.org/#consensusparams > > > > > > > Example: 500K connections from IP 1.2.3.4 > > > > > These are numbers from reality and not fantasy. > > > AFAIK, Article10 and relayon already had 1,000,000 connections per IP! > > > > > -- > > > ╰_╯ Ciao Marco! > > > > > Debian GNU/Linux > > > > > It's free software and it gives you freedom!_______________________________________________ > > > tor-relays mailing list > > > tor-relays@xxxxxxxxxxxxxxxxxxxx > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays_______________________________________________ > > > tor-relays mailing list > > > tor-relays@xxxxxxxxxxxxxxxxxxxx > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > _______________________________________________ > tor-relays mailing list > tor-relays@xxxxxxxxxxxxxxxxxxxx > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Attachment:
publickey - hartley_george@proton.me - 0xAEE8E00F.asc
Description: application/pgp-keys
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays