[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] DoS attacks on multiple relays



> @ x9p:
>
>> # netstat -tupan | grep ESTABLISHED | grep /tor | awk '{print $5}' | awk
>> -F: '{print $1}' | awk -F. '{print $1"."$2"."$3}' | sort | uniq -c |
>> sort
>> | egrep -v '      1 |      2 |      3 '
>>
>> with this information in hand, double the max of it (mine was 10
>> connections from 188.214.30.0/24):
>>
>>      10 188.214.30
>>
>> iptables -A INPUT -i eth0 -p tcp -m connlimit --connlimit-above 20
>> --connlimit-mask 24 -j REJECT --reject-with tcp-reset
>
> Thank you! This was extremely helpful.
>
> In our case we found a handful of IPs that had *thousands* of
> concurrent connections on several of our relays. The offending IPs
> were not in the consensus. After restarting the Tor service, these
> suspect connections come back rapidly, again across several of our
> relays. Since our relays are all in the same declared family, it is
> very difficult to see how this traffic is legitimate. If it's valid
> Tor clients, they are behaving very strangely, and in either case we
> need to limit their impact. As such we've implemented connlimits by
> /24 as suggested (with a much higher limit to err on the side of not
> rejecting valid traffic). We can already see that this has improved
> our situation.

nice to hear :)

cheers.

x9p


_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays