In planning how to configure Tor relays, I've been considering various known attacks. Most involve systemic issues about design and implementation, and so aren't relevant to relay configuration. But there is one that seems relevant, and addressable.
I've been reading the work of Sambuddho Chakravarty and coworkers, in particular his thesis and a technical report on LinkWidth.[0],[1] What seems relevant here are deanonymization attacks on clients and hidden services that rely on traffic watermarking in conjunction with single-end measurements of available relay bandwidth. I am somewhat dubious about real-world workability. Fast relays simultaneously handle numerous connections, and so it's arguable that no single connection substantially perturbs available bandwidth. But on the other hand, it takes months for traffic through new relays to ramp up, and perhaps they are easier to scope while relatively idle.
Regardless, Tor relays are very specialized. And so it should be trivial to craft iptables rules that prevent responses to LinkWidth and other tools for single-end bandwidth measurement, but don't interfere with anything essential. However, I haven't come across anything that seems relevant. Has this threat been addressed? Or am I missing something that complicates the response? Or conversely, is it not something to worry about?
[0] Chakravarty (2014) Traffic Analysis Attacks and Defenses in Low Latency Anonymous Communication (PhD thesis) http://www.cs.columbia.edu/~angelos/Papers/theses/sambuddho_thesis.pdf [1] Chakravarty et al. (2008) LinkWidth: A Method to Measure Link Capacity and Available Bandwidth using Single-End Probes http://academiccommons.columbia.edu/download/fedora_content/download/ac:1108...