I am very well aware of that and how it works, I have seen your commit that got merged, and am a C/C++ programmer as well.
Nevertheless, this is a feature I wanted anyway, so I could just reload the config and block IP's or even ranges if SSH range / portscans are done using my exit.
Right now I reject 22 exits fully, but this might change soon thanks to your patch.
Thank you for your contribution :)
George
On Saturday, August 10th, 2024 at 12:48 PM, trinity pointard trinity.pointard@gmail.com wrote:
The DoSCircuitCreation/DoSConnection configs are unrelated to what ReevaluateExitPolicy allows. DoSCircuitCreation/DoSConnection are enacted by guards, to protect themselves, and to some extent the rest of the network, from "noisy IPs" trying to connect to Tor. ReevaluateExitPolicy is not a DoS option, it doesn't take any action automatically. It is only useful on exit nodes, and is roughly the equivalent to running the right tcpkill incantation to kill all already established connection to ip/ports not allowed a new ExitPolicy (but that were allowed when these connections were initiated).
On Sat, 10 Aug 2024 at 01:23, George Hartley via tor-relays tor-relays@lists.torproject.org wrote:
Then these must be targeted attacks, as I have never encountered something like this during 10 years of relay operation under different providers and aliases.
Sorry, but the Tor logs that I am seeing suggest that most DoS gets mitigated.
As far as I know, the concurrent connection (not circuit!) DoS defense is relatively new, so give the developers some time.
Also, any default IPTables rule-set should automatically either reject or just drop connections above a certain threshold.
All the best, George
On Friday, August 9th, 2024 at 8:59 PM, boldsuck lists@for-privacy.net wrote:
On Mittwoch, 7. August 2024 14:30:27 CEST George Hartley via tor-relays wrote:
This is already impossible, as both circuit and concurrent connection DoS both gets detected and the IP in question flagged and blacklisted.
No. DoS has been a topic of conversation at nearly all relay meetings for over 2 years. Enkidu and Toralf have developed Tor-ddos IPtables rules for the community. Article10 specifically for Tor exits and trinity has developed the patch.
https://gitlab.torproject.org/tpo/core/tor/-/issues/40676 Roger, Mike, Nick and Perry certainly wouldn't have let Trinity develop the feature if the current DoS mitigations in Tor had helped.
Please see the manual on this:
https://2019.www.torproject.org/docs/tor-manual.html.en#DoSCircuitCreationEn abled
This is a client to relay detection only. "auto" means use the consensus parameter. (Default: auto) It is defined in the consensus: https://consensus-health.torproject.org/#consensusparams
Example: 500K connections from IP 1.2.3.4
These are numbers from reality and not fantasy. AFAIK, Article10 and relayon already had 1,000,000 connections per IP!
-- ╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays____________... tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays