-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Gordon Morehouse:
Gordon Morehouse:
I'm still waiting for another "storm" to test the 60 sec findtime / 90 sec bantime guesses that I made (and just pushed to my repo, BTW). Every time my relay crashes due to a storm, it takes me that much longer to get Stable back, and the storms are almost nonexistent until you have the Stable flag in my observation.
Another circuit-creation storm (detectable as SYN flood on ORPort) happened last night soon after reattaining my Stable flag (argh!!!) and the following limits on SYNs to the ORPort were not enough to save Tor from the oom-killer:
- Absolute limit avg 4 SYN per second with burst of 10 to ORPort,
with an iptables REJECT (as opposed to DROP) for hosts that send SYNs when this limit has been reached.
- 90-second iptables DROP ban for hosts which exceed the above
(and are thus logged) in any 60-second period.
I should have said "exceed the above 5 times" here.
Sigh. More trial and error and another (figurative) century before I get my Stable flag back.
I'm going to try dropping the total SYN limit to 3/sec burst 8, extend the watch time from 60 to 75 seconds, and decrease the max # of exceeds from 5 to 4 and see how that does.
This is fairly Pi-specific.
Best, - -Gordon M.