On 14 Feb 2018, at 07:27, Felix zwiebel@quantentunnel.de wrote:
Hi everybody
I tried several setups for dos mitigation since the dos code is available and came to the following results, where I think 5) is promising and 2) or 3) are fine.
You can adjust these options without recompiling using the DoS* torrc options from the man page: https://gitweb.torproject.org/tor.git/tree/doc/tor.1.txt#n2755
Otherwise, your relay will use the options from the consensus. If there are no options set in the consensus, your relay will use the defaults in the code. (We are updating the defaults in the man page, see ticket #25236.)
- Drops off consensus for 1-2hours and returns w/o hsdir:
DOS_CC_CIRCUIT_BURST_DEFAULT 90 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100 FW: 20 connects per /32 ip, rate limited to 3 per sec.
This happened to 1/6 of my guards too, we're trying to track down the cause in #24902.
It seems to happen by chance, otherwise, the lower settings would cause it too.
Your firewall may be responsible, my relay went back into the consensus once I changed my firewall.
- Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 50 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50 FW: 20 connects per /32 ip, rate limited to 3 per sec.
- Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 20 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 20 FW: 20 connects per /32 ip, rate limited to 3 per sec.
- Too conservative:
DOS_CC_CIRCUIT_BURST_DEFAULT 10 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 10 FW: 20 connects per /32 ip, rate limited to 3 per sec.
- Good (newly):
DOS_CC_CIRCUIT_BURST_DEFAULT 50 DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50 FW: 100 connects per /32 ip, rate limited to 15 per sec.
Some hack to grab dos ips, their counts and defenses shows the well known ones like a hand full new ones. But no surprises.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n ------------------------------------------------------------------------