Then these must be targeted attacks, as I have never encountered something like this during 10 years of relay operation under different providers and aliases.
Sorry, but the Tor logs that I am seeing suggest that most DoS gets mitigated.
As far as I know, the concurrent connection (not circuit!) DoS defense is relatively new, so give the developers some time.
Also, any default IPTables rule-set should automatically either reject or just drop connections above a certain threshold.
All the best, George
On Friday, August 9th, 2024 at 8:59 PM, boldsuck lists@for-privacy.net wrote:
On Mittwoch, 7. August 2024 14:30:27 CEST George Hartley via tor-relays wrote:
This is already impossible, as both circuit and concurrent connection DoS both gets detected and the IP in question flagged and blacklisted.
No. DoS has been a topic of conversation at nearly all relay meetings for over 2 years. Enkidu and Toralf have developed Tor-ddos IPtables rules for the community. Article10 specifically for Tor exits and trinity has developed the patch.
https://gitlab.torproject.org/tpo/core/tor/-/issues/40676 Roger, Mike, Nick and Perry certainly wouldn't have let Trinity develop the feature if the current DoS mitigations in Tor had helped.
Please see the manual on this:
https://2019.www.torproject.org/docs/tor-manual.html.en#DoSCircuitCreationEn abled
This is a client to relay detection only. "auto" means use the consensus parameter. (Default: auto) It is defined in the consensus: https://consensus-health.torproject.org/#consensusparams
Example: 500K connections from IP 1.2.3.4
These are numbers from reality and not fantasy. AFAIK, Article10 and relayon already had 1,000,000 connections per IP!
-- ╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays