Hi everybody
I tried several setups for dos mitigation since the dos code is available and came to the following results, where I think 5) is promising and 2) or 3) are fine.
1) Drops off consensus for 1-2hours and returns w/o hsdir: DOS_CC_CIRCUIT_BURST_DEFAULT 90 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100 FW: 20 connects per /32 ip, rate limited to 3 per sec.
2) Good (stable): DOS_CC_CIRCUIT_BURST_DEFAULT 50 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50 FW: 20 connects per /32 ip, rate limited to 3 per sec.
3) Good (stable): DOS_CC_CIRCUIT_BURST_DEFAULT 20 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 20 FW: 20 connects per /32 ip, rate limited to 3 per sec.
4) Too conservative: DOS_CC_CIRCUIT_BURST_DEFAULT 10 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 10 FW: 20 connects per /32 ip, rate limited to 3 per sec.
5) Good (newly): DOS_CC_CIRCUIT_BURST_DEFAULT 50 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50 FW: 100 connects per /32 ip, rate limited to 15 per sec.
Some hack to grab dos ips, their counts and defenses shows the well known ones like a hand full new ones. But no surprises.