On 2022-10-19 17:10, Chris wrote:

You may want to check these links:

https://gitlab.torproject.org/tpo/community/support/-/issues/40093

https://github.com/Enkidu-6/tor-ddos

https://github.com/toralf/torutils


Thank you for the reply and the links.
From what I can understand those links concern "connections". I believe my firewall rules handles that fine (they're based on Toralf's example).

My concern is about circuits. As I understand it one connection can create many circuits. If the attacker keeps the connections down to avoid being blacklisted they can create lots of circuits. And one circuit created affects 3 relays.

So what I'm looking for is a way to get the IP of big circuit creators.
I understand that many circuits will come from other relays but on my guard relay I assume the attacker also connect directly. If I can blacklist non-relays that create too many circuits I can help my relay and those downstream.