Hi Andres,
Not at all. That's how I'm running my own relays. Just run the **combined.sh** on each individual VM and you'll be fine.
As for the ORPort, yes, I agree. There are ways to read the torrc file and set the ORPort automatically. I will incorporate that into the scripts in future versions. My original intention was to put something simple together with minimum complexity that anyone with little or no expertise can understand and modify if necessary without breaking the code.
I've also set up a [Discussion Board](https://github.com/Enkidu-6/tor-ddos/discussions) for the repository on github in case you have any questions, suggestions or simply need further help.
On 12/1/2022 11:57 AM, Anders Trier Olesen wrote:
Hi Chris
We run all the 12 dotsrc relays on a single host with many IP addresses. Would we need to change anything?
Btw, you can make the scripts find the all the OR ports by running something like ‘ss -pl | grep tor’.
- Anders
tor. 1. dec. 2022 kl. 09.02 skrev Chris <tor@wcbsecurity.com mailto:tor@wcbsecurity.com>:
Background: A set of bash scripts used to apply iptables rules to fight the current DDoS attacks. They require no dependencies to install except iptable/nftables which all Linux flavors already have and require no particular expertise. The issue was discussed here: [issue 40093](https://gitlab.torproject.org/tpo/community/support/-/issues/40093) Change log: Some modifications due to a change in the nature of the attacks. - Re ordered rules for more efficiency and reducing the load - Removed the hashlimit rule as it puts more load on the system with not much overall benefit as the attackers have adapted to it and it reduces the size of the block list. - Reduce the number of allowed concurrent connections to 2 if you're not a relay. - Use of remove.sh cron script at regular intervals (optional) will give relays a chance to create up to 4 connections if they need to. ******- Created a new cron file **refresh-authorities.sh** to refresh your allow-list with the most up to date IP addresses for the authorities and snowflake. Should be run daily. - Removed an unnecessary line in the update files. - Modified Readme.MD file to reflect new changes. The new modifications have been tested for two weeks now and the systems are running smoothly with no ill effect. You can read more and download here: [Enkidu-6 tor-ddos on Github](https://github.com/Enkidu-6/tor-ddos) To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is recommended. P.S. The NumCPUs option is unfortunately poorly documented. It really has nothing to do with the number of CPUs you have. It's about the number of worker threads Tor will create to deal with decryption of onionskins. So you can have two CPUs and still set NumCPUs to 16. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hi Chris
Not at all. That's how I'm running my own relays. Just run the **combined.sh** on each individual VM and you'll be fine.
We do not run VMs. We run 12 Tor instances on a single host, and use ORPort + OutboundBindAddress to separate them. I.e: root@tor-exit:/etc/tor/instances# grep 'OutboundBindAddress|ORPort' */torrc dotsrcExit1/torrc:ORPort 185.129.61.1:443 dotsrcExit1/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:1]:443 dotsrcExit1/torrc:OutboundBindAddress 185.129.61.1 dotsrcExit1/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:1] dotsrcExit10/torrc:ORPort 185.129.61.10:443 dotsrcExit10/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:10]:443 dotsrcExit10/torrc:OutboundBindAddress 185.129.61.10 dotsrcExit10/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:10] dotsrcExit2/torrc:ORPort 185.129.61.2:443 dotsrcExit2/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:2]:443 dotsrcExit2/torrc:OutboundBindAddress 185.129.61.2 dotsrcExit2/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:2] dotsrcExit3/torrc:ORPort 185.129.61.3:443 dotsrcExit3/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:3]:443 dotsrcExit3/torrc:OutboundBindAddress 185.129.61.3 dotsrcExit3/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:3] dotsrcExit4/torrc:ORPort 185.129.61.4:443 dotsrcExit4/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:4]:443 dotsrcExit4/torrc:OutboundBindAddress 185.129.61.4 dotsrcExit4/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:4] dotsrcExit5/torrc:ORPort 185.129.61.5:443 dotsrcExit5/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:5]:443 dotsrcExit5/torrc:OutboundBindAddress 185.129.61.5 dotsrcExit5/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:5] dotsrcExit6/torrc:ORPort 185.129.61.6:443 dotsrcExit6/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:6]:443 dotsrcExit6/torrc:OutboundBindAddress 185.129.61.6 dotsrcExit6/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:6] dotsrcExit7/torrc:ORPort 185.129.61.7:443 dotsrcExit7/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:7]:443 dotsrcExit7/torrc:OutboundBindAddress 185.129.61.7 dotsrcExit7/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:7] dotsrcExit8/torrc:ORPort 185.129.61.8:443 dotsrcExit8/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:8]:443 dotsrcExit8/torrc:OutboundBindAddress 185.129.61.8 dotsrcExit8/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:8] dotsrcExit9/torrc:ORPort 185.129.61.9:443 dotsrcExit9/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:9]:443 dotsrcExit9/torrc:OutboundBindAddress 185.129.61.9 dotsrcExit9/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:9] dotsrcRelay1/torrc:ORPort 130.225.244.90:443 dotsrcRelay1/torrc:ORPort [2001:878:346:1cf9:446a:c4eb:4548:7061]:443 dotsrcRelay1/torrc:OutboundBindAddress 130.225.244.90 dotsrcRelay1/torrc:OutboundBindAddress [2001:878:346:1cf9:446a:c4eb:4548:7061] dotsrcRelay2/torrc:ORPort 130.225.244.90:9001 dotsrcRelay2/torrc:ORPort [2001:878:346:1cf9:446a:c4eb:4548:7062]:9001 dotsrcRelay2/torrc:OutboundBindAddress 130.225.244.90 dotsrcRelay2/torrc:OutboundBindAddress [2001:878:346:1cf9:446a:c4eb:4548:7062]
root@tor-exit:~# ip -br a lo UNKNOWN 127.0.0.1/8 ::1/128 eth0@if11 UP 130.225.244.90/30 130.225.254.114/27 185.129.61.1/24 185.129.61.2/24 185.129.61.3/24 185.129.61.4/24 185.129.61.5/24 185.129.61.6/24 185.129.61.7/24 185.129.61.8/24 185.129.61.9/24 185.129.61.10/24 2001:67c:89c:702:1ce:1ce:babe:10/48 2001:67c:89c:702:1ce:1ce:babe:9/48 2001:67c:89c:702:1ce:1ce:babe:8/48 2001:67c:89c:702:1ce:1ce:babe:7/48 2001:67c:89c:702:1ce:1ce:babe:6/48 2001:67c:89c:702:1ce:1ce:babe:5/48 2001:67c:89c:702:1ce:1ce:babe:4/48 2001:67c:89c:702:1ce:1ce:babe:3/48 2001:67c:89c:702:1ce:1ce:babe:2/48 2001:67c:89c:702:1ce:1ce:babe:1/48 2001:878:346::114/48 2001:878:346:1cf9:446a:c4eb:4548:7062/48 2001:878:346:1cf9:446a:c4eb:4548:7061/48 fe80::216:3eff:fed5:6809/64
root@tor-exit:~# ss -s Total: 139982 TCP: 148318 (estab 128481, closed 8757, orphaned 527, timewait 8744)
Transport Total IP IPv6 RAW 1 0 1 UDP 247 193 54 TCP 139561 125849 13712 INET 139809 126042 13767 FRAG 0 0 0
It would be really nice if you could update the scripts to support this kind of setup! And maybe also consider using plain nftables instead of relying on the legacy iptables compatibility layer :)
Best regards Anders
On Thu, Dec 1, 2022 at 6:42 PM Chris tor@wcbsecurity.com wrote:
Hi Andres,
Not at all. That's how I'm running my own relays. Just run the **combined.sh** on each individual VM and you'll be fine.
As for the ORPort, yes, I agree. There are ways to read the torrc file and set the ORPort automatically. I will incorporate that into the scripts in future versions. My original intention was to put something simple together with minimum complexity that anyone with little or no expertise can understand and modify if necessary without breaking the code.
I've also set up a [Discussion Board](https://github.com/Enkidu-6/tor-ddos/discussions) for the repository on github in case you have any questions, suggestions or simply need further help.
On 12/1/2022 11:57 AM, Anders Trier Olesen wrote:
Hi Chris
We run all the 12 dotsrc relays on a single host with many IP addresses. Would we need to change anything?
Btw, you can make the scripts find the all the OR ports by running something like ‘ss -pl | grep tor’.
- Anders
tor. 1. dec. 2022 kl. 09.02 skrev Chris <tor@wcbsecurity.com mailto:tor@wcbsecurity.com>:
Background: A set of bash scripts used to apply iptables rules to fight the current DDoS attacks. They require no dependencies to install except iptable/nftables which all Linux flavors already have and require no particular expertise. The issue was discussed here: [issue 40093](https://gitlab.torproject.org/tpo/community/support/-/issues/40093)
Change log: Some modifications due to a change in the nature of the attacks. - Re ordered rules for more efficiency and reducing the load - Removed the hashlimit rule as it puts more load on the system with not much overall benefit as the attackers have adapted to it and it reduces the size of the block list. - Reduce the number of allowed concurrent connections to 2 if you're not a relay. - Use of remove.sh cron script at regular intervals (optional) will give relays a chance to create up to 4 connections if they need to. ******- Created a new cron file **refresh-authorities.sh** to refresh your allow-list with the most up to date IP addresses for the authorities and snowflake. Should be run daily. - Removed an unnecessary line in the update files. - Modified Readme.MD file to reflect new changes. The new modifications have been tested for two weeks now and the systems are running smoothly with no ill effect. You can read more and download here: [Enkidu-6 tor-ddos on Github](https://github.com/Enkidu-6/tor-ddos) To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is recommended. P.S. The NumCPUs option is unfortunately poorly documented. It really has nothing to do with the number of CPUs you have. It's about the number of worker threads Tor will create to deal with decryption of onionskins. So you can have two CPUs and still set NumCPUs to 16. _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
I see.
I put together a script that will apply the rules to two addresses at a time. I suggest that you run it for two of your relays and see if it helps. If it does, all you have to do is change the IP Addresses and run the script again until all your addresses are covered. It won't conflict with the other rules.
And if it doesn't do what you're looking for, the script makes a back up of your existing iptables rules. All you have to do is restore it and everything goes back to how it was without having to reboot. You should save that backup somewhere else as the second time you run the script, the original back up will be overwritten.
you can get it here:
https://raw.githubusercontent.com/Enkidu-6/tor-ddos/dev/multiple/multi-addr....
Please note that this script won't work for the relay that has two ORPorts. For that, you need to run the following script:
https://github.com/Enkidu-6/tor-ddos/blob/dev/multiple/two-or.sh
Let me know how it goes if you decide to have a go at it.
Cheers.
On 12/3/2022 6:29 AM, Anders Trier Olesen wrote:
Hi Chris
Not at all. That's how I'm running my own relays. Just run the **combined.sh** on each individual VM and you'll be fine.
We do not run VMs. We run 12 Tor instances on a single host, and use ORPort + OutboundBindAddress to separate them. I.e: root@tor-exit:/etc/tor/instances# grep 'OutboundBindAddress|ORPort' */torrc dotsrcExit1/torrc:ORPort 185.129.61.1:443 http://185.129.61.1:443 dotsrcExit1/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:1]:443 dotsrcExit1/torrc:OutboundBindAddress 185.129.61.1 dotsrcExit1/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:1] dotsrcExit10/torrc:ORPort 185.129.61.10:443 http://185.129.61.10:443 dotsrcExit10/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:10]:443 dotsrcExit10/torrc:OutboundBindAddress 185.129.61.10 dotsrcExit10/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:10] dotsrcExit2/torrc:ORPort 185.129.61.2:443 http://185.129.61.2:443 dotsrcExit2/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:2]:443 dotsrcExit2/torrc:OutboundBindAddress 185.129.61.2 dotsrcExit2/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:2] dotsrcExit3/torrc:ORPort 185.129.61.3:443 http://185.129.61.3:443 dotsrcExit3/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:3]:443 dotsrcExit3/torrc:OutboundBindAddress 185.129.61.3 dotsrcExit3/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:3] dotsrcExit4/torrc:ORPort 185.129.61.4:443 http://185.129.61.4:443 dotsrcExit4/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:4]:443 dotsrcExit4/torrc:OutboundBindAddress 185.129.61.4 dotsrcExit4/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:4] dotsrcExit5/torrc:ORPort 185.129.61.5:443 http://185.129.61.5:443 dotsrcExit5/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:5]:443 dotsrcExit5/torrc:OutboundBindAddress 185.129.61.5 dotsrcExit5/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:5] dotsrcExit6/torrc:ORPort 185.129.61.6:443 http://185.129.61.6:443 dotsrcExit6/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:6]:443 dotsrcExit6/torrc:OutboundBindAddress 185.129.61.6 dotsrcExit6/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:6] dotsrcExit7/torrc:ORPort 185.129.61.7:443 http://185.129.61.7:443 dotsrcExit7/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:7]:443 dotsrcExit7/torrc:OutboundBindAddress 185.129.61.7 dotsrcExit7/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:7] dotsrcExit8/torrc:ORPort 185.129.61.8:443 http://185.129.61.8:443 dotsrcExit8/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:8]:443 dotsrcExit8/torrc:OutboundBindAddress 185.129.61.8 dotsrcExit8/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:8] dotsrcExit9/torrc:ORPort 185.129.61.9:443 http://185.129.61.9:443 dotsrcExit9/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:9]:443 dotsrcExit9/torrc:OutboundBindAddress 185.129.61.9 dotsrcExit9/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:9] dotsrcRelay1/torrc:ORPort 130.225.244.90:443 http://130.225.244.90:443 dotsrcRelay1/torrc:ORPort [2001:878:346:1cf9:446a:c4eb:4548:7061]:443 dotsrcRelay1/torrc:OutboundBindAddress 130.225.244.90 dotsrcRelay1/torrc:OutboundBindAddress [2001:878:346:1cf9:446a:c4eb:4548:7061] dotsrcRelay2/torrc:ORPort 130.225.244.90:9001 http://130.225.244.90:9001 dotsrcRelay2/torrc:ORPort [2001:878:346:1cf9:446a:c4eb:4548:7062]:9001 dotsrcRelay2/torrc:OutboundBindAddress 130.225.244.90 dotsrcRelay2/torrc:OutboundBindAddress [2001:878:346:1cf9:446a:c4eb:4548:7062]
root@tor-exit:~# ip -br a lo UNKNOWN 127.0.0.1/8 http://127.0.0.1/8 ::1/128 eth0@if11 UP 130.225.244.90/30 http://130.225.244.90/30 130.225.254.114/27 http://130.225.254.114/27 185.129.61.1/24 http://185.129.61.1/24 185.129.61.2/24 http://185.129.61.2/24 185.129.61.3/24 http://185.129.61.3/24 185.129.61.4/24 http://185.129.61.4/24 185.129.61.5/24 http://185.129.61.5/24 185.129.61.6/24 http://185.129.61.6/24 185.129.61.7/24 http://185.129.61.7/24 185.129.61.8/24 http://185.129.61.8/24 185.129.61.9/24 http://185.129.61.9/24 185.129.61.10/24 http://185.129.61.10/24 2001:67c:89c:702:1ce:1ce:babe:10/48 2001:67c:89c:702:1ce:1ce:babe:9/48 2001:67c:89c:702:1ce:1ce:babe:8/48 2001:67c:89c:702:1ce:1ce:babe:7/48 2001:67c:89c:702:1ce:1ce:babe:6/48 2001:67c:89c:702:1ce:1ce:babe:5/48 2001:67c:89c:702:1ce:1ce:babe:4/48 2001:67c:89c:702:1ce:1ce:babe:3/48 2001:67c:89c:702:1ce:1ce:babe:2/48 2001:67c:89c:702:1ce:1ce:babe:1/48 2001:878:346::114/48 2001:878:346:1cf9:446a:c4eb:4548:7062/48 2001:878:346:1cf9:446a:c4eb:4548:7061/48 fe80::216:3eff:fed5:6809/64
root@tor-exit:~# ss -s Total: 139982 TCP: 148318 (estab 128481, closed 8757, orphaned 527, timewait 8744)
Transport Total IP IPv6 RAW 1 0 1 UDP 247 193 54 TCP 139561 125849 13712 INET 139809 126042 13767 FRAG 0 0 0
It would be really nice if you could update the scripts to support this kind of setup! And maybe also consider using plain nftables instead of relying on the legacy iptables compatibility layer :)
Best regards Anders
On Thu, Dec 1, 2022 at 6:42 PM Chris <tor@wcbsecurity.com mailto:tor@wcbsecurity.com> wrote:
Hi Andres, Not at all. That's how I'm running my own relays. Just run the **combined.sh** on each individual VM and you'll be fine. As for the ORPort, yes, I agree. There are ways to read the torrc file and set the ORPort automatically. I will incorporate that into the scripts in future versions. My original intention was to put something simple together with minimum complexity that anyone with little or no expertise can understand and modify if necessary without breaking the code. I've also set up a [Discussion Board](https://github.com/Enkidu-6/tor-ddos/discussions) for the repository on github in case you have any questions, suggestions or simply need further help. On 12/1/2022 11:57 AM, Anders Trier Olesen wrote: > Hi Chris > > We run all the 12 dotsrc relays on a single host with many IP > addresses. Would we need to change anything? > > Btw, you can make the scripts find the all the OR ports by running > something like ‘ss -pl | grep tor’. > > - Anders > > tor. 1. dec. 2022 kl. 09.02 skrev Chris <tor@wcbsecurity.com <mailto:tor@wcbsecurity.com> > <mailto:tor@wcbsecurity.com <mailto:tor@wcbsecurity.com>>>: > > Background: > > A set of bash scripts used to apply iptables rules to fight the > current > DDoS attacks. They require no dependencies to install except > iptable/nftables which all Linux flavors already have and require no > particular expertise. The issue was discussed here: > > [issue > 40093](https://gitlab.torproject.org/tpo/community/support/-/issues/40093) > > Change log: > > Some modifications due to a change in the nature of the attacks. > > - Re ordered rules for more efficiency and reducing the load > - Removed the hashlimit rule as it puts more load on the system > with not > much overall benefit as the attackers have adapted to it and it > reduces > the size of the block list. > - Reduce the number of allowed concurrent connections to 2 if > you're not > a relay. > - Use of remove.sh cron script at regular intervals (optional) > will give > relays a chance to create up to 4 connections if they need to. > ******- Created a new cron file **refresh-authorities.sh** to refresh > your allow-list with the most up to date IP addresses for the > authorities and snowflake. Should be run daily. > - Removed an unnecessary line in the update files. > - Modified Readme.MD file to reflect new changes. > > The new modifications have been tested for two weeks now and the > systems > are running smoothly with no ill effect. > > You can read more and download here: > > [Enkidu-6 tor-ddos on Github](https://github.com/Enkidu-6/tor-ddos) > > To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is > recommended. > > P.S. > The NumCPUs option is unfortunately poorly documented. It really has > nothing to do with the number of CPUs you have. It's about the > number of > worker threads Tor will create to deal with decryption of > onionskins. So > you can have two CPUs and still set NumCPUs to 16. > > > _______________________________________________ > tor-relays mailing list > tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org> > <mailto:tor-relays@lists.torproject.org <mailto:tor-relays@lists.torproject.org>> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays >
tor-relays@lists.torproject.org
-
Anders Trier Olesen -
Chris