New subject: Short heads up

25 Dec 2022

      Hi friends,
I made some smaller tweaks over the last few hours which should especially help relays on nearly OOM or thrashing situations (making use of Zswap + MGLRU if available).
The rules themselves are just the same, so no changes there.
Merry christmas,
Frank
------- Original Message -------
On Sunday, December 4th, 2022 at 11:25 PM, Frank Steinborn steinex@nognu.de wrote:
...
Hi,
I want to show you my anti DDoS solution for my relays (aswell ;-). It works without ipset, but with a mix of the recent and hashlimit iptables modules.
What is does:

If one IP address tries to make 7 SYN connection attempts per second, they are locked out for 300 seconds. If they try another connection in that timeframe, the timer is reset and they are locked out for another 300 seconds.
Threre are no more SYNs allowed if 4 connections are already in use to the ORPort.

It works very well for me. Other solutons are far more aggressive but I feel my solution works perfectly against the attacks, even if they are not that aggresive.
On top of that, I feel its more easy to implement into ones existing firewall solution.
You can find the repo here: https://github.com/steinex/tor-ddos
Feel free to give it a shot and feedback would be much appreciated!
Greetings,
steinex

Short heads up (was: Re: Another attempt against Tor DDoS)