
Hi everybody I tried several setups for dos mitigation since the dos code is available and came to the following results, where I think 5) is promising and 2) or 3) are fine. 1) Drops off consensus for 1-2hours and returns w/o hsdir: DOS_CC_CIRCUIT_BURST_DEFAULT 90 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100 FW: 20 connects per /32 ip, rate limited to 3 per sec. 2) Good (stable): DOS_CC_CIRCUIT_BURST_DEFAULT 50 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50 FW: 20 connects per /32 ip, rate limited to 3 per sec. 3) Good (stable): DOS_CC_CIRCUIT_BURST_DEFAULT 20 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 20 FW: 20 connects per /32 ip, rate limited to 3 per sec. 4) Too conservative: DOS_CC_CIRCUIT_BURST_DEFAULT 10 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 10 FW: 20 connects per /32 ip, rate limited to 3 per sec. 5) Good (newly): DOS_CC_CIRCUIT_BURST_DEFAULT 50 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50 FW: 100 connects per /32 ip, rate limited to 15 per sec. Some hack to grab dos ips, their counts and defenses shows the well known ones like a hand full new ones. But no surprises. -- Cheers, Felix