În ziua de miercuri, 31 ianuarie 2018, la 17:32:15 EET, Roger Dingledine a scris:
On Wed, Jan 31, 2018 at 05:21:38PM +0200, zless wrote:
I was inspecting my node and just saw that it has a very high number of connections.
It jumped from the normal 6000-7000 to more than 17000 simultaneous connections.
Looking at the connections with `ss` I see some hosts with over 1000 connections while the majority is usually bellow 10.
In the future, you should avoid including IP addresses like this. Some of these are normal Tor users who probably don't like having their addresses listed. After all, the goal of your relay is to provide privacy, right?
Sorry about that. I somehow thought that those are only relays like myself and these are public already.
Even so, on closer inspection they seem to fall more on the "bots" side. Most of the IPs in my list are servers from Leaseweb and Hetzner.
Is it normal for a single host to produce so many connections?
How do you people handle such situations?
It is not normal. I recommend either trying out the new mitigation feature in git master, or waiting until it gets into a release:
https://lists.torproject.org/pipermail/tor-relays/2018-January/014357.html https://lists.torproject.org/pipermail/tor-relays/2018-January/014175.html https://lists.torproject.org/pipermail/tor-relays/2017-December/014002.html
Thanks for the links, they are quite informative.
However I'm still interested in how to block this kind of abuse outside of tor itself. I'm looking to implement some iptables limiting and I'm wondering how the limits should be so that I don't deny normal tor traffic.
Would a 10 connections per IP limit be OK? Should be higher than that?
Thanks for any ideas.