-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
David Serrano: [snip]
On 2013-10-20 09:42:01 (-0700), Gordon Morehouse wrote:
First, during a SYN flood type overload, some peers which have *existing* circuits built through the relay and are sending SYNs as normal traffic, will stochastically get "caught" in the filter and banned for a short time. If these hosts already have circuits open through the relay which is overloaded, I would prefer to preserve those circuits rather than break them. My defensive strategy versus overload here is to throttle new circuit creation requests, *not* to break existing circuits.
So here's the $64,000 question:
If a tor relay has a circuit built through a peer, and the peer starts dropping 100% of packets, how long will it take before the relay with the circuit "gives up" on the circuit and tears it down? I want to set my temp ban time *below* this timeout. Thus, unlucky peers that were caught in the filter and have circuits already built through the relay they will experience a brief performance degradation, but they won't lose their active circuits through the overloaded relay, and in the meantime hopefully the overload condition is becoming resolved.
I can think of two approaches to your problem:
I've implemented these and I'd really love for anyone who's great at iptables to sanity-check my rules[1] because I am an iptables relative noob.
I'm also quite happy to report that my Raspberry Pi node weathered a pretty intense SYN flood (20-30 SYNs per sec, I'm going to post a log deconstruction of the event with graphs if possible) with the old rules. It didn't weather it *well*, specifically fail2ban got bogged down and stopped working after a while while chewing up half the available CPU cycles, but the node survived without crashing.
There are stories on the Pivotal project tracker[2] for The Cipollini Project[3] regarding these problems - I luckily happened to catch the SYN flood ("circuit creation storm") event just as it really got started and was able to observe it in real time.
1. http://v.gd/1TV9mz (link to file on github)
2. https://www.pivotaltracker.com/s/projects/917796
3. https://github.com/gordon-morehouse/cipollini
Best, - -Gordon M.