Hi friends,
I made some smaller tweaks over the last few hours which should especially help relays on nearly OOM or thrashing situations (making use of Zswap + MGLRU if available).
The rules themselves are just the same, so no changes there.
Merry christmas, Frank
------- Original Message ------- On Sunday, December 4th, 2022 at 11:25 PM, Frank Steinborn steinex@nognu.de wrote:
Hi,
I want to show you my anti DDoS solution for my relays (aswell ;-). It works without ipset, but with a mix of the recent and hashlimit iptables modules.
What is does:
- If one IP address tries to make 7 SYN connection attempts per second, they are locked out for 300 seconds. If they try another connection in that timeframe, the timer is reset and they are locked out for another 300 seconds.
- Threre are no more SYNs allowed if 4 connections are already in use to the ORPort.
It works very well for me. Other solutons are far more aggressive but I feel my solution works perfectly against the attacks, even if they are not that aggresive.
On top of that, I feel its more easy to implement into ones existing firewall solution.
You can find the repo here: https://github.com/steinex/tor-ddos
Feel free to give it a shot and feedback would be much appreciated!
Greetings, steinex
On 2022-12-25 00:27, Frank Steinborn via tor-relays wrote:
Hi friends,
I made some smaller tweaks over the last few hours which should especially help relays on nearly OOM or thrashing situations (making use of Zswap + MGLRU if available).
The rules themselves are just the same, so no changes there.
I had an exit relay which was constantly DDoSed. Instance CPU usage was 40%.
Had the IP change (for another reason tho) and it didn't go away, the DDoS targeted that particular fingerprint. That server had two relays, one fortunately unaffected.
I ended up just changing the fingerprint for the affected one. Now I have to wait for the ramp-up phase, yay!
Merry christmas, Frank
Best,
Neel
------- Original Message ------- On Sunday, December 4th, 2022 at 11:25 PM, Frank Steinborn steinex@nognu.de wrote:
Hi,
I want to show you my anti DDoS solution for my relays (aswell ;-). It works without ipset, but with a mix of the recent and hashlimit iptables modules.
What is does:
- If one IP address tries to make 7 SYN connection attempts per
second, they are locked out for 300 seconds. If they try another connection in that timeframe, the timer is reset and they are locked out for another 300 seconds.
- Threre are no more SYNs allowed if 4 connections are already in use
to the ORPort.
It works very well for me. Other solutons are far more aggressive but I feel my solution works perfectly against the attacks, even if they are not that aggresive.
On top of that, I feel its more easy to implement into ones existing firewall solution.
You can find the repo here: https://github.com/steinex/tor-ddos
Feel free to give it a shot and feedback would be much appreciated!
Greetings, steinex
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Neel Chauhan:
On 2022-12-25 00:27, Frank Steinborn via tor-relays wrote:
Hi friends,
I made some smaller tweaks over the last few hours which should especially help relays on nearly OOM or thrashing situations (making use of Zswap + MGLRU if available).
The rules themselves are just the same, so no changes there.
I had an exit relay which was constantly DDoSed. Instance CPU usage was 40%.
Had the IP change (for another reason tho) and it didn't go away, the DDoS targeted that particular fingerprint. That server had two relays, one fortunately unaffected.
I ended up just changing the fingerprint for the affected one. Now I have to wait for the ramp-up phase, yay!
Interesting. What was the old fingerprint? Did the affected and unaffected relays were guards and/or exists?
Georg
Merry christmas, Frank
Best,
Neel
------- Original Message ------- On Sunday, December 4th, 2022 at 11:25 PM, Frank Steinborn steinex@nognu.de wrote:
Hi,
I want to show you my anti DDoS solution for my relays (aswell ;-). It works without ipset, but with a mix of the recent and hashlimit iptables modules.
What is does:
- If one IP address tries to make 7 SYN connection attempts per
second, they are locked out for 300 seconds. If they try another connection in that timeframe, the timer is reset and they are locked out for another 300 seconds.
- Threre are no more SYNs allowed if 4 connections are already in use
to the ORPort.
It works very well for me. Other solutons are far more aggressive but I feel my solution works perfectly against the attacks, even if they are not that aggresive.
On top of that, I feel its more easy to implement into ones existing firewall solution.
You can find the repo here: https://github.com/steinex/tor-ddos
Feel free to give it a shot and feedback would be much appreciated!
Greetings, steinex
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Frank Steinborn -
Georg Koppen -
Neel Chauhan