On 2/9/16, coderman coderman@gmail.com wrote:
... manage sessions and lifetimes carefully; don't use apache; tune limits.conf and sysctl; disable conntrack in kernel network filters (if applicable); ...
one other benefit: put a proxy in front of onion service if request based like HTTP/HTTPS/WebDAV. this lets Tor hs config hit nginx (for example) to relay request to actual service back-end, which responds, and can release a socket for close or re-use (pipeline) with Nginx to ensure client response in turn delivered to onion peer at far end.
in addition, keep-alive is useful for DDoS mitigation and performance - always enable HTTP pipelined request support if possible. With a rate limit on accept by origin (by AS instead of IP or CIDR?) legitimate clients can usually connect as expected, and remain connected, while the transient burst of flood sybils from botherders and pwnhops gets almost entirely denied. a few connections make it through established, but the typical operation of automation implies it will get restarted / reconfiged as reason for RST is investigated, thus closing those few connections that did make it, and in turn, once a response is received, not uncommon for code to close socket, rather than re-use.
perhaps more ideas if you encounter specific attacks... good luck! :)
best regards,