[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Checking dos mitigation



Hi everybody

I tried several setups for dos mitigation since the dos code is
available and came to the following results, where I think 5) is
promising and 2) or 3) are fine.

1) Drops off consensus for 1-2hours and returns w/o hsdir:
DOS_CC_CIRCUIT_BURST_DEFAULT 90
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100
FW: 20 connects per /32 ip, rate limited to 3 per sec.

2) Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 50
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
FW: 20 connects per /32 ip, rate limited to 3 per sec.

3) Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 20
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 20
FW: 20 connects per /32 ip, rate limited to 3 per sec.

4) Too conservative:
DOS_CC_CIRCUIT_BURST_DEFAULT 10
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 10
FW: 20 connects per /32 ip, rate limited to 3 per sec.

5) Good (newly):
DOS_CC_CIRCUIT_BURST_DEFAULT 50
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
FW: 100 connects per /32 ip, rate limited to 15 per sec.

Some hack to grab dos ips, their counts and defenses shows the well
known ones like a hand full new ones. But no surprises.

-- 
Cheers, Felix
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays