I spoke too soon, it seems - the exit is struggling again, with some time spent destroyed today.
As I look at what it's doing, it's clear that someone is relaying SYN packets
It's not possible for Tor clients to relay SYN packets: a RELAY_BEGIN
cell from a Tor client asks an exit to attempt to open a TCP connection
from that exit to a remote destination. If the TCP connection fails, a
response is sent back to the client.
to random ports and also random destination addresses that aren't even alive. The destination hosts and ports continually vary - it never hits multiple destinations on 1 port, and it does not hit multiple ports on 1 host. I presume it is an attack that is intended to degrade this relay's service quality, or otherwise more broadly, degrade Tor.
Have you tried adjusting your kernel parameters to recycle
local ports more quickly?
Do you have a separate IP address you can use for exit
connections, using OutboundBindAddressExit?
I'm going to reject a few more trojan listen ports, it might help but it isn't a real fix.
Have you tried one of the reduced exit policies?
If you have, I suggest you reduce your exit policy down to a few
high-traffic ports. 80 and 443 are essential to support web
browsing. Other ports are nice, and you can experiment with
restoring them over time.
My thought btw was for Tor to rate-limit syn scanning activity between the client and the first onion router, with the function taking place in that first-hop router, not at the exit.
This isn't how Tor works: clients send RELAY_BEGIN cells to open
streams at exits, and these cells are encrypted at the guard.
Exits could rate-limit the number of streams per circuit (or the
number of stream requests), but this would only help if the
client is using the same circuit for its streams. And Guards
could rate-limit circuits. But this would be a long-term fix,
requiring code changes.
(Exits can't rate-limit per client, because Tor's design makes sure
Exits can't identify clients.)
T