On 6 Jan 2018, at 06:05, Zack Weinberg zackw@cmu.edu wrote:
On Fri, Jan 5, 2018 at 1:44 PM, tor tor@anondroid.com wrote: For relay operators using iptables connlimit to mitigate DoS attacks (or increased load from new clients), is it better for the Tor network to use "DROP" rules, or should we use something like "REJECT --reject-with tcp-reset"?
REJECT is friendlier to clients that are not misbehaving but happen to be caught in the crossfire, and to the Internet as a whole.
I personally think DROP should only ever be used as a desperation measure when the DoS load is so high that you can't even afford to send RSTs.
I've tried various ways of limiting Tor's RAM and CPU. MaxAdvertisedBandwidth was effective, as was limiting Tor's file descriptors and DisableOOSCheck 1. MaxMemInQueues had a minor impact.
So I decided to use a firewall to limit connections.
If I send RST, a Tor client will immediately try another guard. If I DROP, the Tor client will timeout before trying another guard.
For misbehaving clients, I want to DROP. For regular clients, I want to RST. (Or let them connect.)
So I want to set a high connection limit, and use DROP.
I see up to 700 connections per IP, and I see normal residential IP addresses start at around 80. I don't think that clients with more than 100 connections per IP will get much bandwidth anyway.
I used this command:
netstat -n | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head
All the connections over 100 were at Hetzner, OVH, and Leaseweb. (This command gives /16s for IPv6, but these clients aren't using IPv6.)
So I set up this firewall rule:
/sbin/iptables -A INPUT -p tcp --syn ! --dport 22 -m connlimit --connlimit-above 100 -j DROP
You should replace 22 with the list of ports you use for SSH and other important connections, just in case.
And I installed iptables-persistent to save the rules. (It might be Debian-specific).
After I set up the firewall, the connections slowly dropped from 700 down to around 100. It only affects new connections, so it might take a while.
T
-- Tim / teor
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------