[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?
On Fri, Jan 5, 2018 at 1:44 PM, tor <tor@xxxxxxxxxxxxx> wrote:
> For relay operators using iptables connlimit to mitigate DoS attacks (or increased load from new clients), is it better for the Tor network to use "DROP" rules, or should we use something like "REJECT --reject-with tcp-reset"?
REJECT is friendlier to clients that are not misbehaving but happen to
be caught in the crossfire, and to the Internet as a whole.
I personally think DROP should only ever be used as a desperation
measure when the DoS load is so high that you can't even afford to
send RSTs.
zw
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays