Just as a heads up, I got a curt, vague lawsuit threat the other day out of the blue. The guy claimed my node IP took down his (unmentioned) e-commerce sites for some unspecified period of time through a SYN flood. The sites that I could find associated with his email address appeared still up and functional.

Since SYN floods can be spoofed, and since Tor nodes don't really have the resource amplification that typically makes them effective, I'm assuming it's probably just someone who forgot to take their meds for a while and/or who is just making things up to try to chill our tor node off line.

Just in case, here is what I sent in response. If anyone else hears from this guy, feel free to copy and paste.

----------------------------
                                                    
It seems very unlikely that what you pasted here is due to our Tor router (unless it has been compromised?).

Our node is not capable of transmitting SYN packets on behalf of users fast enough to actually do damage. It is rather expensive for a tor client to generate this type of traffic, and a couple forms of protection mechanisms are built in to the tor router flow control that slow this down. We would be very surprised if this attack actually came through our node, and actually brought down any of your services.

Unlike more direct attacks on your server at the application layer, SYN floods are possible to spoof. This packet could actually be coming from anywhere...

However, in either case, this attack should be simple to block. You can prevent the entire Tor network (not just our router) from sending you traffic by using this exported IP list to generate firewall rules to drop SYN packets: https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4&port=80

If this is in fact a SYN flood attack, they may just switch spoofed source IPs on you, though, so an IP block is probably not what you want.

There are plenty of documents online that describe server parameters to help reduce the impact of this attack on your services, depending on your server OS. We recommend looking into them to better protect yourself and your customers.


Thanks