Hi nusenu

I'm considering not setting OutboundBindAddress on the dotsrc exit relays (https://metrics.torproject.org/rs.html#search/dotsrc). Wouldn't it be better if all outgoing connections came from the same IP (i.e do not set OutboundBindAddress), for the sake of making correlation analysis harder? Say you observe an exit connection to example.com:443. If all the dotsrc relays used 185.129.61.1 as src IP, you couldn't tell which of our relays made the connection.

On a related note, wrt ongoing ddos, here's something that might be useful to exit relay operators:

What we observed, was tens of thousands open exit connections to a few IP (at one point our server had more than 500.000 open connections to those hosts!). To check if you see the same, here's a one liner to show you the endpoints with the largest number of connections from your server:

One way to solve this, is to do some firewall foo, but I really don't like connection tracking (unnecessary CPU cycles). An alternative solution that works great for us, is to lower the net.ipv4.ip_local_port_range from the default of about 30.000 ports. E.g:

# sysctl -w net.ipv4.ip_local_port_range="64000 65535"

This limits the number of connections you can have to a specific dst tuple (IP, Port) to 1.535 connections (and thanks to Tor now setting IP_BIND_ADDRESS_NO_PORT, reaching this limit won't affect any other connections as the same port can be used as src for many different dst IPs).

- Anders

On Sat, Feb 11, 2023 at 12:12 PM nusenu <nusenu-lists@riseup.net> wrote:

>> multi-instance tor relay
> Can you please describe what that is?

The subject uses the more correct term 'multi-instance tor server'.

A single OS running more than one tor relay instance.

In the context of this email, more specifically running more than 2 tor relays.

kind regards,
nusenu

--
https://nusenu.github.io
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays