Issue 40636 and others deal with DDoS / concurrent connections. Here're few numbers from my attempt [1] of the last days to block such ip addresses. The stats are from 2 relays running at the same ip.
Currently there're 700 ip addresses (15 IPv6) caught in the denylist. Those either opened >4 connections to the same orport and/or produced
12 new connection attemps within 5 minutes to the orport.
Those system do re-appear quickly if the denylist is flushed.
Within one hour over 500K packets, mainly TCP connection attempts, are dropped.
Furthermore the number of used sockets at the system is reduced from
35K to about 21K.
Nevertheless both relays spew the warnings "Your computer is too slow" and "General overload" from time to time. I do assume that this is a layer 7 problem and therefore can't be fixed at layer 3.
The filter is build up from iptables. Scripts for IPv4 and IPv6 can be found under [2] and [3] respectively.
[1] https://gitlab.torproject.org/tpo/core/tor/-/issues/40636#note_2821683 [2] https://github.com/toralf/torutils/blob/main/ipv4-rules.sh [3] https://github.com/toralf/torutils/blob/main/ipv6-rules.sh
-- Toralf
tor-relays@lists.torproject.org