[tor-relays] short conntrack DDoS attack
mailinglistreader at riseup.net
mailinglistreader at riseup.net
Wed Aug 9 09:20:00 UTC 2023
On 8/8/23 07:21, Toralf Förster wrote:
> Few days ago the throughput of my Tor relay went down to nearly zero for
> about 3 minutes. It turned out that the reason (maybe) was a change here
> in my iptables rules. Especially I switched these 2 lines:
>
> iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>
> and run then few hours later into problems. And switched back ofc.
> An explanation for the dropdown was given in [1]. Given that the
> explanation is right:
I use these rules, with the RELATED,ESTABLISHED rule extended by the "-m
conntrack ! --ctstate INVALID" filter as recommended in [1] and before
the INVALID DROP rule. Works like a charm and with no changes to the
number of connections or traffic.
So the explanation, that INVALID packages are passing through the
RELATED,ESTABLISHED seems plausible. Sadly I can't answer your following
question.
> How is the Tor application harmed if an attacker mangles packets so that
> the state of them are INVALID for the conntrack module but they do pass
> the RELATED,ESTABLISHED rule ?
>
>
> [1] https://forums.gentoo.org/viewtopic-p-8798034.html
> --
> Toralf
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list