[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?
From: Zack Weinberg <zackw@xxxxxxx>
Date: Fri, 5 Jan 2018 14:05:28 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 05 Jan 2018 14:05:50 -0500
In-reply-to: <7wID4EZnjygiYeZweXBnKOrz7rTXCbaBPJ2czBBlAGpo31INE74N7tED1LsBDC9SsPo3XHOqDR4sX-YYNv70_AjLAoCzKWrZcteEotKZI5Q=@anondroid.com>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <7wID4EZnjygiYeZweXBnKOrz7rTXCbaBPJ2czBBlAGpo31INE74N7tED1LsBDC9SsPo3XHOqDR4sX-YYNv70_AjLAoCzKWrZcteEotKZI5Q=@anondroid.com>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On Fri, Jan 5, 2018 at 1:44 PM, tor <tor@xxxxxxxxxxxxx> wrote:
> For relay operators using iptables connlimit to mitigate DoS attacks (or increased load from new clients), is it better for the Tor network to use "DROP" rules, or should we use something like "REJECT --reject-with tcp-reset"?

REJECT is friendlier to clients that are not misbehaving but happen to
be caught in the crossfire, and to the Internet as a whole.

I personally think DROP should only ever be used as a desperation
measure when the DoS load is so high that you can't even afford to
send RSTs.

zw
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?
  - From: teor

References:
- [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?
  - From: tor

Prev by Author: Re: [tor-relays] kelihos infection
Next by Author: [tor-relays] High number of simultaneous connections from a single host
Previous by thread: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?
Next by thread: Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?
Index(es):
- Author
- Thread