Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

5 Jan 2018


      On Fri, Jan 5, 2018 at 1:44 PM, tor tor@anondroid.com wrote:
...
For relay operators using iptables connlimit to mitigate DoS attacks (or increased load from new clients), is it better for the Tor network to use "DROP" rules, or should we use something like "REJECT --reject-with tcp-reset"?
REJECT is friendlier to clients that are not misbehaving but happen to
be caught in the crossfire, and to the Internet as a whole.
I personally think DROP should only ever be used as a desperation
measure when the DoS load is so high that you can't even afford to
send RSTs.
zw

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?