[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] Questions about 4 Relays per IP and the ddos mitigation scripts
- To: tor-relays@xxxxxxxxxxxxxxxxxxxx, nusenu <nusenu-lists@xxxxxxxxxx>
- Subject: Re: [tor-relays] Questions about 4 Relays per IP and the ddos mitigation scripts
- From: Chris Enkidu-6 <tor@xxxxxxxxxxxxxxx>
- Date: Wed, 8 Feb 2023 01:57:50 -0500
- Autocrypt: addr=tor@xxxxxxxxxxxxxxx; keydata= mQINBFWMtxIBEADWtP+m+KK37yXz5i/w5nCjxpjwS6H2QTNIpHTx+444DxlX90L8GOLEOwS7 LRx/OJ/Vo+aqmAOL49Slejj6U29r8qJz7Nq7g+HfE9AilJMTvBWU5W21PF2wuKuQJLboPR4s iCnoHBg2ylds1aIweW126t01GBy+lvFJ/c6mqeHn69kq0VzJkMWv1YcIPaPMWj/foGf+yPp9 3hB2r8fIrY6q6jkQdP+mvBpn8rNteqgtGviMqCeQIwtaA3VcwQqcomSOjY4zBA7Uhse1iMF0 tjK3N0Bar/rV2zMu+jqppoat6E9y0AjshFCSgUMiZKIkMQ3oWEalkwyNXHpgcGb69WBKD+kl 5kJtOCP7aSs3VAR2xA86pX6lwfYlzNL2CsNzHGmkSm6mZygLpkQOOn9I3zDjhzGQ6j00I0P9 pi3a39BbgBrVYUa0O6NAIs816+vuHacR91jFvYQzMTQJ1cesRXnxvmDpaCuTLxFNWM2sORh3 BdBx3H0Xf5JNF11dJZ1b7XGxuPDA+hbSZwlU68EqptBocE9jlfTZ/ja0wx6Pgn137EKJ4ZUy d5PMp7eEUUfZFtEretfJ+IKJ+/UFjKRfgPiP6OY536TNzramtMsHN2uMsW18DY7oYaDZ2Nm/ EOg36Bjp8551gWnstogdjmoJAbmsN/WqZKuOYtZwrbEb485+8wARAQABtBpXQ0IhIDx3Y2JA d2Nic2VjdXJpdHkuY29tPokCoQQQAQgAizAUgAAAAAAgAAdwcmVmZXJyZWQtZW1haWwtZW5j b2RpbmdAcGdwLmNvbXBncG1pbWUICwkIBwMCAQoCGQEaGGxkYXA6Ly9rZXlzZXJ2ZXIyLnBn cC5jb20FFgADAgEFHgEAAAAGFQoICQMCFiEE0cq5h5p8USgUPeenb/FtB2wEq2cFAmITVg0C GyMACgkQb/FtB2wEq2fPvBAAkJ3Z9lxFPVvGT5j40GnhsDkF7F0gJ2O1SNo+gTgWKs9Bn8MT 5UuShLhdXazFNfMLezjNXDWlRtEIIpoHkJ5MN/IPQmZ6/Pc/zLKfEIZVdD1HD6MImNVT8GyW vXuSrmQEqne7vV3CeoABXZSPyl7wiCibahlHyjPNmFcIpBY+EqSVKhTXwNgtquL5dJUUSwdz rwSoI9sNOQqcaqpyzZZOEUAEbqDImMMC3FsYf7p3VBmq0+fddxCVzoC0ibEf1YDPwZuVulbn URPv+O5AD+hQkAmYMXiI7As3FLnHY0XoimVhxnLKHPj+LZvYsrFczC808rnWuuW3ri05euLd P98/O4Y3Cpe88hFhaeG37Bp/wiwIzKXrYb0+pPf40GGUl1dI0694TgtV5Am1ithBiOJlL7IA I+/npSRitS751CpT8s9not5kQJVa7J9AIE0+7T20bR7dYXgLWyRank3vExOzy4GdeCeoFct9 M9WYEaxsp7dQdz4LNs0rndQeHkVr0nkwiQszeDrZntWGknMlXYx0wzJPF+RB1um1+YFs8bOA +N4qJ7MGejG4ucNC1DBkeZoAYYQJZfHWiyz1l3ncN9wOv9qNH7+zhSnyu3OwyjOa4GaIFtqj L2cjQI/LRU6J4hW+cN/G2weK5KPxntEyI5rPEqIR5AcmOvTqQrcSWLtnfdu5Ag0EVYy3FQEQ AM+zo7GBG+zkHJv+rK1RrwSCGeFdrHL1M6qHvvekc+29aId1i5V99C1fJo4a+Yl9LXFvS+p7 43rN/35FjR09FQx8wYUTRaYDYC287/Rwl1QI0AVzu7X4qnlnFvbij+BQyUXQyxoILQEoMjBA WnlQRe6OCMsi4AyozIvYCWZ2QG/03sMiQq9KCZM1UrTvBHGdtMaaq7b90VUZGCk+ME8Sz1b6 uSKjUttGqz+14U4c5lrMY5Ao4hZObsYwGq3JCfDfb8Ibiaj2qSRMC1lWBO6d/Cd3HD5jC1pE FFQHwZZmI26YIQMsrJ2+V7vWue/X+PUHMur2x6laMNE9ds06jipVV+ZQzzUp/V2Ledok2+4m f85sEOAC9mwloI2vjNqnyVM8k5VtnOAD86Y1I1wO87pthZSX5ZHmxkxxl+Vw5cx+siPo+etU FC+hHk7/zInv1lKnuVHrX2IHcW714l3I7RDaNWvLXuiAMY9M6loFLuG6VTXcrf2FI7BMgqXD dStznJNdBfslEbq5cOLXxfYKYbuwipJ/2LuaE3KVXcdebmBx12oMl8T/F70C1A+ynrfKecND eyar7OakYvxk6+lT7hdzkKzs9DDI75BU8SNKUKdWT/wl0d/6tTIQRhqySrcICGn6O+FU1ODh ccVrgPJiNBhRfXt4WG4P5yhSMnGXlywjzKoFABEBAAGJBEEEGAECAisFAlWMtxYFGwwAAADB XSAEGQEIAAYFAlWMtxUACgkQ//PgyfkqRnuEHQ//S626WYYerZMsjglzG9X+gRy9X15iYxm5 sfw2KMbVRXSkt++beT9R+4eefasdzOKzo37Hehnv8EpToKwk7nz5CFmPvicN/wZ4h4/UM1Jn wNMJH5QaLWzhNf+bD9a/8l+TUIMAfIQx+Ub82xgLFf1dD7JkIddH3WfEIOmDaoR9MlyLzglF +WKGaXZXYPkko6h7lZuq7rxkabtVohvQhk2UypwwfU25wqrI1i8RsivB5kFn7+UrgzulNCFM UDzvld/Ym6crqxGmYa0ayxnyTRzFdFGCA/A7fhuJo3WcJq8OuimV22BcXeK8t8cvijOmGFMR QZ74dh5yU/axg+EnWNsVQCwU8qjNgsm7vX2dfovE+8/tMFGh+NibfpXtfBtpQYpvYMsuQ4Z+ hxaozESGxWBmNXzZ9kPKrIQqTuut/tIe5IylISkfz0oTEskJp2E10zZq1mKIwtghlhmHXuA2 XW9/y7ivgoylHyDj+vopCeQo73UTNA5dOAfuzN8AyAaTo4cgki4KYq1mnKfMHp2yYku1RJEF 4BxqTeKfE2WdTYhsusqn6ZNT375hMYeA1pAbYfb3Ybh9NN4jxmXV5hMd15jQUdwwCZecK/34 zmgY9z2kV+9tbkofyc/8SJcYypqOPKIU4b6iPQdNyX2DoWuygEMtK+wLRxH/kTAQ9LYs7tM2 15MACgkQb/FtB2wEq2dU+Q/+NvoqGo1gDu+yvep5YhQLVyJZLvvYlMhQuGhYD02I22EeNZSh HPT2++9U2hbTAZuME+AZZfNVZUuc51BUZLXLYAwUE5+eJCyDq4amLiQaYYVJxK6q2XGcaSpJ K5gbR9U9BclXTLdcrpFUXLs2BTQvKRji8c6MjxTrmLgj5fKh4UAx4Aul0DkLH3lP+DgHmiLM JCPdTnyUpM5+TYe0spqybeEySWI5+e0BJHJkAYigdq97JWEvwnavvQo2mc9PRDyviVx/B21f jnqAmP9ihnWlBUc++jGLRAXfexpDvoWRaWCrNCh6SlNVfADgsnPmZeNx6IFVWSePVpn88Q1N RaNsAhEeFH7RxAHLzsxksbfHq18dUvv727E/JPtHF8gy6ymIdNgG9T0i24IxKhjZeDI+gHlp 6c85+R9P72tuf6K9RJ8qeM4EApwGADI5Y4hrlfpsoQhoxNe9AAuS1NJG+K43TxR1qGPirPq5 g7ZpbHrF3F4ZniPpAHYose6Dwy5iMIJcDITuZI9ek47UYtOkgdqOhcZVnKFXG7B1hWHX8G8L O3dJkuLU1JpZCg7BUXD4iQmlHd+niYwglexRtJBTdmzrbXHDSMVR1BaZuTyDY1pJTsJ9RkuP kMlJQPU9sRLT8Va+4ld4XXzJL9yjyP7WafiXaXrL+mew7zTcUNTtNFbwvS+5Ag0EVYy3GAEQ AL2lIVP8MSA4pviJ8D83MrJL5IEeR7CQwjWHFxh92T+M7JZVQ0pHkIMBHit1jRDo5MARqnR2 W14jZ6Nt7lVHQ8P7puOpYlvokDbv3+ln5JvgFvc/7P06VWesi24Ft5V8LBXGS9QZ8Jn031DE eGV+BVhX9UlF8U1WqWONRR1Sb3Nda+rg8n21fGGidUm+1gmjm50u9VYHb0ZK226OLfMASPYQ 8wt8ZSjkERK2fJwofGLZR1X67K3L4VuR7IQvS/xrY906oqZtl3/tjB2A7yFMWfxisv31kb/s mv3EWJspLs4eK+a3PZhHTsG4X1MQxP1UskM/9rx82aiMKENv8DsXxpvb+UPIX/AR4y2rwZwU KLYNVpGED9f/FcTxwozdl48GMsF/IQHQzYEu1LpAiznPj4icEGnjvdtABWk2ZMjhKYEXfTaj iEQxO3yaazkL9IuRssPIS87EwEKcIqIpxwXUBbEYKLe7XFijl+XkXKWl+35IYUzV/M0mLigE Xc4WReudjzVWF0jA/dP7Rsc1GEUq4vOxuiOOBiXxVKZPPWxU3MunGhhc8Cx8dEXf3FcDML2M px9WU5QxxuPon830KB4yz37tmgui5qkDaHuQkhTEwlvnP+ELo0yrw2CQXDqBVf77dmnUw9c9 jUPZmqsbrl4/nrbhQ89P8EhL2dKYfIH0iG6dABEBAAGJBEEEGAECAisFAlWMtxkFGwIAAADB XSAEGQEIAAYFAlWMtxgACgkQgIt/XQhd0uslbhAAruDf2E38K45HWP3qV0oDYnMNRIWq/dNZ qXHkmkSjmlKcbCHrklCb155Z9lLU75Yqtjax2KhiNCiNRHFhaSMuappO2pBhnHZqnlLbB250 FPWdu+mSzi4yi0pUrtEJ+Sksb4HyKZzfHIqaDV8XsCU1vPYu1b7rHkXVuFXP1HDKTGp7dimt VQ5vDSx0hikU6kFwYT685AC6VIFymGL6VxjwKwsZ1uR0/xAktryFAzVIRtnXV6jjQ7NoCkVV BrtQUAiVSxO0V7FeOmNhkoSAQewJKIhg0KjJ+le8+899ypw5+/JnnlvFbvv/ZKTNOMXi9oNO w8k2y+HyPx0PQjemb37JPTF7DgSkFqHpSPQ3UISMpceKByhOnnNhq92JsMp/Q3zVR+zvipj9 eOFNHxpoc0AFelcU1hnH61qUEutIsveGUvhw0IegWN0xxBD5KpGM3nwEqdJC6OnzqKwRD3TO tVGGHUA1lVkJu6AwwxPSyRDVGFIN8RBAMB4/ysuAKIraNWsIf0Y6fgXWLeaE2iuG43MWiYqR wtwrZ/R4nSBe+1EIUV4vIZXjpP6vLSfzeLnM8OHUw41TebDhfMwyMvIDaT3pnwpizTdoZ89g vJJJiDZmCWeWOV6HjMYhH5cg5VWor76uinG1fDRWJCbVUf5ZMYq+If5uLO893qMtA1oXcs5R /tsACgkQb/FtB2wEq2dMuw/+JQ6zm9C+tqReGGw1KM/39wVXTwnchJQKtSJYmcAsAd3tR7C5 e/xlX/ANLcjt/pZD9CKFdp9lBhT/yMzFFX7+k3UFspb+wPR83qjsZueEvf0VBC/FcW48vCJE BikGIGHpJhL3czSsLr6Tmtdy6D8iQ1HvWcZxAoZXa5h8J5T6QWD+u7TH7am+DZPg7ZqGA7zl Derbiiv9Xo8z4kRBO4eRin4funW7zPlpp9wOrsD8peTaw6QJcgZ/y60Ef+6Uz0FCngz8vq3O weXZFp87olPMsCoTZ/2gd9Q1346ozXGNfKIIrFeGnZhWSZIsbFrH1Eqm5bR/CwKFnPeQfogo JPKeTWX0john8EJAjkHwQOsypqzXGtFvL7k6tANL6V3A0lyhyC+GvfmSEUO+ey7s+VLK48QX 1JSr0kXenElTgzj3mKnCgRqf60oBTwepVXzwKahNhC5CJVQLfM3b1IS9y46sybyQQshup9YE sMaMBSyrSyiO6vaCwNhP6jWKwCK8FDyO78vOxfrUtcPahHb1YstnFLegLnrdl/OzanvfNB2s 54N5NCsONeKy3Iok1CTQbUb+ECIp16AN22lNICZoMj6csSR1S6Ah8Y3FVLSThaUpUMLMR9EE 4xEnRmqUaCvSvafjazfkbAUgxnN9V+CCVI68904gcm0Wkxk+u5KsBVFtVfY=
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Wed, 08 Feb 2023 02:47:25 -0500
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=wcbsecurity.com; s=default; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=SzXXEHV3CbAgVLjdOLAKkn1tuZk7fNQtkHGpMuwQWCU=; b=YZDH2gKVUVBdJZnO+WSj0EdUE3 ZalJtlVKUy3jEa8WQutxJ9WizXYHYF60nwuEF3TevYGckM+4SpzTpqVDBro/WGJ30Kvs1fCSXqNNE IK7d9yTNMdJXJfXW4yiv+VfgNMy02Gh0oXmZAMIb4ph6sLF+iGW728eu9lnV5j4PjfVNAUWG7vZcA o9TXAtSCj2yHofchqk2KZuYTaDXwMvqEvhTlC8lhbX0hLI9Olyl1SfELF1waFCkUYeEmrxL/WBuD0 qBqP6J+bDJORLh4Ji+T1RXHEQ8DH5eL1PXEfQecNvQsmKYfVVTscBauiSN+UqJLQkgHiUC+Wi8G72 3nun5rdQ==;
- In-reply-to: <f22938c5-394c-9ace-5a72-bcddd9faea44@riseup.net>
- List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
- List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
- List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
- List-post: <mailto:tor-relays@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
- References: <32ba4f01-2e87-97c9-2310-746990fe1e27@wcbsecurity.com> <baec606d-7856-18e2-bf13-3f40bf207f6d@riseup.net> <9e562779-af0d-a120-60b0-fd6e9202aa1c@wcbsecurity.com> <f22938c5-394c-9ace-5a72-bcddd9faea44@riseup.net>
- Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
> DDoS rate limit filters do not require an all or nothing approach,
> different source IPs can be handled differently
> see toralf's use of onionoo to feed ipsets as an example.
> I would recommend to use tor's controlport as a source of information instead though
> because onionoo is not meant to be used for such real time needs.
We do the same. You can take a look at the rules. There's no all or
nothing approach. Regardless, this doesn't change the fact that in
either approach there's always a time when someone, somewhere will not
be able to connect due to their behaviour.
The ipsets are pulled from [my
repository](https://github.com/Enkidu-6/tor-relay-lists) to avoid
putting undue pressure on oniooo server and my lists are updated every
half an hour. This means one query as opposed to very many for each user.
We do have a ban list and cron jobs to remove relays from the list
periodically -even though I'm not a fan of it- to avoid an all out ban.
However the number of allowed connections remain the same regardless
whether you're in the ban list or not.
ipsets are set to allow authorities and snowflake servers to have as
many connections as they need. Dual-or relays are in another ipset and
they can have more connections per IP. That will still stay limited. How
many would be necessary, is the main reason I started this discussion.
> I don't think relays should silently drop
> other relays packets without first trying:
> - to confirm that accepting that IP would render the relay (mostly) unusable (by first running in a mode that accepts relay IPs)
> - to understand the actual root cause
> - to contact the relay operator at the other
> - to report relays they consider malicious
Firewalls and iptables don't work that way. They make those decisions in
fractions of milliseconds and do what they're told. Now, if you're
suggesting that I should do all of that before writing a rule to protect
my server, I do what I can with the time I have and to a reasonable level.
No new versions of rules are released unless I run them for 2 weeks on
my own servers and check for all possible side effects. I spend time to
investigate the relays that are misbehaving to the best of my knowledge
and ability and spend as much time as I'm willing to spend on it. Again
it's all about that compromise I was talking about. I'm not looking to
achieve an ideal solution for an ideal world. That's not achievable and
would be a waste of time trying. My purpose for this discussion is to
find the best way to keep the balance of that compromise in our favour
and not do damage to the overall health of the Tor network.
Now to clarify a few things, I'll explain my process. The rules are
tested on two relays with 20 MiB Max Advertised bandwidth each and each
one has full use of 12 CPUs and about 5-7 GB of RAM and NumCPUs of 30.
By the way this is far better than the systems majority of relays are
run on. Majority of operators run their relays on VPS systems with 1-4
CPUs and 1-4 GB of RAM.
The idea is that if a ruleset causes my relay to go to the overloaded
status, it will certainly do more damage to weaker relays. I can tell
you with absolute certainty that with the current state of the DDoS
we're experiencing if we allow more than 2 connections per IP (1 would
be better) the average relay will have overloaded status at least 2-3
times a week if not more. Again we're talking about average relays not
beasts.
Now to get back to my original question, I'll try to make it a bit more
clear. It may help you answer my question better. Here are the current
statistics:
Since the start of the new rule of 4 relays per IP, 14 operators have
decided to take advantage of it. Together combined, they are operating
214 relays, out which about more or less 100 something relays are
actually new relays added to the network. Some added two, some added
only one. Among them I've seen fake email addresses, those who haven't
even added the new relays to their family, etc.. By the way those
numbers haven't increased in the past 2 or3 days and remained pretty
much the same.
All of these relays with 3-4 Tor instances are running on a total of 54
IP addresses, 39 of which running purely Exit relays on all instances of
Tor on the IP with 0% guard probability and 0% middle probability. Their
status might change after a couple of weeks to a month when they join
the network with full capacity and I'll be monitoring that.
So I ask my question again, with the current state, right at this
moment, If I allow those limited IP addresses only 2 established
connections at a time instead of 4, will that break anything or cause
any harm to the health of the Tor network as a whole? My own answer is
absolutely not, but I eagerly await everyone's opinion.
Cheers.
On 2/7/2023 6:07 PM, nusenu wrote:
>> Even if that happens, why would a client connect
>> directly to an Exit and get the
>> Exit to connect to another relay or Guard using the Exit's IP address?
>
> You mentioned the exit flag, but you didn't specify whether that relay
> also had
> the guard flag.
>
> Generally speaking it is correct, that if you fire up a fresh tor
> client with default
> settings for the first time it will most likely pick a relay with the
> guard flag and no exit flag
> as their guard relay, but...:
>
> Tor clients keep local state over a considerable amount of time.
> Most notably they pick their guard relays rarely.
>
> It is possible that a relay that has the guard+exit flags today,
> only had the guard flag yesterday and the operator decided to enable
> exiting by changing the exit policy just this morning.
> So if that relay was picked as guard yesterday, their guard probability
> of today might not matter so much.
> I recall a gitlab.tpo issue that discussed the details of whether
> tor clients should change guards when their picked guard lost/gained
> flags.
> Maybe someone else could paste a link to it.
>
> related content for the interested reader:
> https://lists.torproject.org/pipermail/tor-relays/2020-October/019002.html
>
> https://gitlab.torproject.org/tpo/core/tor/-/issues/40230
>
>> Wouldn't the same protection you mentioned kick in and
>> stop a client?
>
> The protection I mentioned (reenter the tor network via exits
> blocking) does not interfere
> with a tor client directly connecting to a guard.
>
>> In the old days of vidalia you could actually see that in real time.
>
> for anyone missing that experience, onioncircuits can help you there :)
> but it has less features than vidalia used to have.
> https://gitlab.tails.boum.org/tails/onioncircuits
>
>> Each time you try to browse a page, Tor doesn't
>> say, oh let's find a relay. It picks
>> a circuit from a pool of already Established ones. If Tor tries to build
>> a circuit with a relay and it's unable to,
>> it will try another one that works and keeps it in the pool for when
>> it's needed. Again, I may be wrong.
>> Feel free to tell me if I am.
>
> Yes tor clients preemptively create circuits before creating actual
> streams to reduce
> latency.
>
>> There's no such thing
>> as DDoS mitigation without rate limiting.
>
> DDoS rate limit filters do not require an all or nothing approach,
> different source IPs can be handled differently
> see toralf's use of onionoo to feed ipsets as an example.
> I would recommend to use tor's controlport as a source of information
> instead though
> because onionoo is not meant to be used for such real time needs.
>
> I don't think relays should silently drop
> other relays packets without first trying:
> - to confirm that accepting that IP would render the relay (mostly)
> unusable (by first running in a mode that accepts relay IPs)
> - to understand the actual root cause
> - to contact the relay operator at the other
> - to report relays they consider malicious
>
> Not investigating such cases is a missed opportunity
> to find potential bugs or a new detection mechanism for malicious relays.
> It is also a missed opportunity to help protect the tor network at a
> higher
> level, because it is unlikely that everyone is using (the same) filters.
>
> Filters that result in blocks for a large fraction of the tor network
> are more likely a sign of an unsuitable filters than an indicator that
> most of the
> tor network is engaging in attack against other relays,
> especially when they include well known and long term trusted operators.
>
> This a good topic to be added to the Expectations for Relay Operators
> document.
> https://gitlab.torproject.org/tpo/community/team/-/wikis/Expectations-for-Relay-Operators
>
>
> At the very least relays blocking/dropping some packets of other
> relays should be very transparent about it.
>
> kind regards,
> nusenu
>
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays