[tor-relays] DoS attacks are real (probably)

Tue Dec 12 13:13:21 UTC 2017

On Mon, 11 Dec 2017 at 18:07 Felix <zwiebel at quantentunnel.de> wrote:

> Hi Alex
>
> Great points.
>
> >     conntrack -L -p tcp --dport 9001 | awk '{print $5}' | sort | uniq -c
> | sort -n
>
> On FreeBSD one can do:
>
> In packetfilter:
>
> # play with the numbers but more than 64k per ip if possible
> set limit { frags 70000, src-nodes 70000, states 70000, table-entries
> 100000 }
>
> table <blockOR> persist
>
> # 2000 is super high. Rate limit 50 new connects per 5 secs
> # overload but not flush
> pass in on $if_ext inet proto tcp from any to $relay_ip port $or_port
> flags S/SA modulate state (max-src-conn 2000,max-src-conn-rate
> 50/5,overload <blockOR>)
>
> As cronjob:
>
> # release block after 10 minutes
> pfctl -t blockOR -T expire 600
>
> These measures protect your system. IMO for other or future cases we
> should keep the clients degree of freedom (researchers / fancy doers) as
> high as possible, being not too restrictive.
>
>
> > 1. Open many OR connections (hundreds to thousands)
> > 2. Leave open until tor runs out of sockets
>
> If the ip is saturated for like 2 hours the relay might loose the hsdir
> flag. But today there are not enough resources in the game to generate
> an issue for the network.
>
>
> > I recommend against
> > the blanket approach suggested previously of limiting whole sets of
> > /24s, since that may inadvertently block mobile clients and is not
> > effective against the current attack.
>
> Right. In future one could put such loud clients besides useful ips a
> let the relays block the usefull.
>
>
> > 2. the connections do not taper off if they are rejected. I banned these
> > addresses from accessing Tor, and they continue to make dozens of
> > connection attempts every second from each IP address. this means that
> > this is probably not a good faith "test" or a misconfigured set of real
> > Tor clients, but is instead malicious and using a modified or custom
> > client.
>
> The above rule limits the useless attempts to a certain limit and
> recovers after 10 minutes. This protects but gives the 'offender' the
> chance to tune his client to a better behaviour (in case he wants it).
>
>
> > 3c. it is almost certainly not real clients using NAT; as far as I know,
> > LeaseWeb does not use NAT, and Online.net only uses one-to-one NAT.
>
> Good point. A general blocking rule should be smart enough to enable NAT
> clients anyway ?
>
>
> --
> Cheers, Felix
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Hi

For the ones interested in Linux version, this translates to:

 -A INPUT -p tcp -m multiport --dports $or_port,$dir_port -m connlimit
--connlimit-upto 2000 --connlimit-mask 24 -m hashlimit --hashlimit-upto
10/second --hashlimit-mode srcip --hashlimit-srcmask 16 --hashlimit-name
mask24 -j ACCEPT
 -A INPUT -p tcp -m multiport --dports $or_port,$dir_port -j REJECT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171212/116116d2/attachment.html>