"Rafo (r4fo.com) via tor-relays" tor-relays@lists.torproject.org wrote:
More specifically, I?m running a middle relay on Debian 12 ---- On Tue, 09 Jul 2024 13:46:51 +0200 lists@for-privacy.net<lists@for-privacy.net> wrote ---- On Montag, 8. Juli 2024 19:34:51 CEST Rafo (r4fo.com) via tor-relays wrote: > But this week I?ve received 2 DDoS alerts from my provider > (Netcup), both are ~3 gigabits. They seem to be coming from other Tor > relays.I?m running an Invidious like instance on my server (which uses > around 600 megabits) but I have a 2.5 gigabit port. So I configured my Tor > relay to use 300-400 megabits.I?m not sure where that 3 gigabit of data > comes from.I have lowered my advertised bandwidth to 100 megabits, would > that be enough to prevent these kind of issues?Kind regards,Rafo Reducing the advertised bandwidth does not help. ;-) In general, one tor instance will rarely reach 100 megabits. There is little you can do on the server against targeted DDoS. But you can stop IPs with a lot of connections to your tor daemon using dynamic exit police? or dyn. IP/nftable rules?. For targeted help, you should specify the type of relay you have and your OS. https://gitlab.torproject.org/tpo/community/support/-/issues/40093 ?https://github.com/artikel10/surgeprotector ?https://forum.torproject.org/t/is-tor-network-resistant-to-tcp-syn-flood-dos-attacks-from-outside-of-tor/12690/4 -- ?_? Ciao Marco! Debian GNU/Linux It's free software and it gives you freedom!_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Depending upon the features of the packet filter(s) available to you on your operating system, there may be one or more options that can help defend your relay. For example, all of the main FOSS *BSD systems today have some version of the pf packet filter subsystem available as well as others. One option available in pf for TCP is synproxy. This excerpt from the pf.conf(5) man page in FreeBSD tells how it works.
----------------------------------------------------------------------- SYN PROXY
By default, pf(4) passes packets that are part of a tcp(4) handshake between the endpoints. The synproxy state option can be used to cause pf(4) itself to complete the handshake with the active endpoint, perform a handshake with the passive endpoint, and then forward packets between the endpoints.
No packets are sent to the passive endpoint before the active endpoint has completed the handshake, hence so-called SYN floods with spoofed source addresses will not reach the passive endpoint, as the sender can't complete the handshake.
The proxy is transparent to both endpoints, they each see a single connection from/to the other endpoint. pf(4) chooses random initial sequence numbers for both handshakes. Once the handshakes are completed, the sequence number modulators (see previous section) are used to translate further packets of the connection. synproxy state includes modulate state.
Rules with synproxy will not work if pf(4) operates on a bridge(4).
Example:
pass in proto tcp from any to any port www synproxy state
-----------------------------------------------------------------------
My understanding is that LINUX systems do not have pf, but rather have a less flexible filter called iptables. Whether iptables or any other packet filter that may be available on LINUX systems has synproxy or a similar feature I do not know, but I'm posting this to make novice *BSD users who run tor relays aware of it. IMHO, synproxy or its equivalents in other filters (if they exist) should always be applied to filter rules for at least the ports that tor listens on and are exposed to the outside world (e.g., ORPort and DirPort). Of course, although synproxy helps defend a tor relay (or a web server or data base or whatever), it doesn't stop what arrives at your ISP from outside.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at sdf.org *xor* bennett at freeshell.org * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * **********************************************************************