blocking >1 connections per ip address onto Tor DirPort
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I do have the following iptables rule here : # Tor # dirport=80 orport=443 $IPT -A INPUT -p tcp --destination-port $dirport --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP $IPT -A INPUT -p tcp --destination-port $orport --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP which seems to work fine. An $> ip6tables -nvL gives 14110 746K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW #conn src/32 > 1 230K 14M DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW #conn src/32 > 1 after few days so I do just like to ask here if the rules above are fine or if I overllooked something ? - -- Toralf PGP C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE----- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZM4sxccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTqnGAQCPr7gkpaxRD3spzKp49l53A2H0 YOzXrw8G8vR8BtHZPQD+NE4Zhf7Y0w0JtKqy6E5bSowikeSJsKSDur8zxO+kf8E= =UPak -----END PGP SIGNATURE-----
On Tue, Aug 15, 2017 at 2:08 PM, Toralf Förster <toralf.foerster@gmx.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I do have the following iptables rule here :
# Tor # dirport=80 orport=443
$IPT -A INPUT -p tcp --destination-port $dirport --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP $IPT -A INPUT -p tcp --destination-port $orport --match conntrack --ctstate NEW --match connlimit --connlimit-above 1 --connlimit-mask 32 -j DROP
which seems to work fine. An
$> ip6tables -nvL
gives
14110 746K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW #conn src/32 > 1 230K 14M DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW #conn src/32 > 1
after few days so I do just like to ask here if the rules above are fine or if I overllooked something ?
- -- Toralf PGP C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE-----
iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZM4sxccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTqnGAQCPr7gkpaxRD3spzKp49l53A2H0 YOzXrw8G8vR8BtHZPQD+NE4Zhf7Y0w0JtKqy6E5bSowikeSJsKSDur8zxO+kf8E= =UPak -----END PGP SIGNATURE----- _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Hey I am just curious: why is it needed to block >1 connections per ip address onto Tor DirPort? -- Best regards, Boris Nagaev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/15/2017 10:57 PM, Nagaev Boris wrote:
Hey
I am just curious: why is it needed to block >1 connections per ip address onto Tor DirPort?
Tor serves the "DirPortFrontPage /etc/tor/tor-exit-notice_DE.html" at that port and I'd like to avoid a slow responsive Tor due to a DDoS at that port. - -- Toralf PGP C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE----- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZNn7xccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTgGuAQCGHFf0hjWZiMz4yWWgP/Xl/5bd /q0eCkWFwmxhb0ksFAD/cPZUw8DAOHGM1vdlhZqnWpqX/Rb8AgU14nVcb9p0Kb0= =xGHs -----END PGP SIGNATURE-----
@Toralf
Tor serves the "DirPortFrontPage /etc/tor/tor-exit-notice_DE.html" at that port and I'd like to avoid a slow responsive Tor due to a DDoS at that port.
Tor also provides the directory service on the same port (unless you have it disabled). How do you know limiting the connections doesn't impact the directory service?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/15/2017 11:37 PM, tor wrote:
Tor also provides the directory service on the same port (unless you have it disabled). How do you know limiting the connections doesn't impact the directory service?
Does a particular Tor server/client will open more than 1 connection at a time from to the DirPort ? - -- Toralf PGP C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE----- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZNtHxccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTg97AP9cdcrZPz+bhuqv38YXAXGBIdFZ SN7EBXIpSnRuP7j8kAD/bA5hd/Fm3ZFDkfwi+uNI8h1CN++lbGhcBChtFgu+Drk= =BPpX -----END PGP SIGNATURE-----
On Tue, Aug 15, 2017 at 11:52:31PM +0200, Toralf Förster wrote:
Does a particular Tor server/client will open more than 1 connection at a time from to the DirPort ?
I think we definitely want to support that in the protocol. I'm not sure whether it happens right now, but it might. But preventing it from happening is likely bad. Note that most clients use the ORPort for fetching directory stuff, and that's heading towards "all clients" as people upgrade and stop using weird configurations. So the DirPort is mainly used on authorities (by relays that fetch dir stuff or upload relay descriptors), and by auxiliary tools like stem and the various metrics project scripts. If you're worried about denial of service issues on the DirPort, maybe the simple answer is to turn off the DirPort? I think the only real impact might have something to do with whether old clients believe that you're a usable guard. --Roger
Just out of curiosity, do DoS attacks against dirports even happen? My server gets nailed by what my host thinks is a DOS every now and then but I'm yet to get details. Does anyone have a good idea on how I would be able to classify traffic as an attack rather than normal "shitloads of traffic" ? On Tue, Aug 15, 2017 at 5:22 PM, Roger Dingledine <arma@mit.edu> wrote:
On Tue, Aug 15, 2017 at 11:52:31PM +0200, Toralf Förster wrote:
Does a particular Tor server/client will open more than 1 connection at a time from to the DirPort ?
I think we definitely want to support that in the protocol.
I'm not sure whether it happens right now, but it might.
But preventing it from happening is likely bad.
Note that most clients use the ORPort for fetching directory stuff, and that's heading towards "all clients" as people upgrade and stop using weird configurations. So the DirPort is mainly used on authorities (by relays that fetch dir stuff or upload relay descriptors), and by auxiliary tools like stem and the various metrics project scripts.
If you're worried about denial of service issues on the DirPort, maybe the simple answer is to turn off the DirPort? I think the only real impact might have something to do with whether old clients believe that you're a usable guard.
--Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
The “normal” classification of DDOS is more than 250000 packets/sec to your server/vps. You could check if it is a smurf attack or x-mas or whatever, but normally you will be null routed with 250k+ or the (hopefully) good anti DDOS hardware of the ISP will kick in. Markus “Cheery was aware that Commander Vimes didn't like the phrase 'The innocent have nothing to fear', believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like 'The innocent have nothing to fear'.” ― Terry Pratchett, Snuff
On 16. Aug 2017, at 01:16, eric gisse <jowr.pi@gmail.com> wrote:
Just out of curiosity, do DoS attacks against dirports even happen?
My server gets nailed by what my host thinks is a DOS every now and then but I'm yet to get details.
Does anyone have a good idea on how I would be able to classify traffic as an attack rather than normal "shitloads of traffic" ?
On Tue, Aug 15, 2017 at 5:22 PM, Roger Dingledine <arma@mit.edu> wrote:
On Tue, Aug 15, 2017 at 11:52:31PM +0200, Toralf Förster wrote:
Does a particular Tor server/client will open more than 1 connection at a time from to the DirPort ?
I think we definitely want to support that in the protocol.
I'm not sure whether it happens right now, but it might.
But preventing it from happening is likely bad.
Note that most clients use the ORPort for fetching directory stuff, and that's heading towards "all clients" as people upgrade and stop using weird configurations. So the DirPort is mainly used on authorities (by relays that fetch dir stuff or upload relay descriptors), and by auxiliary tools like stem and the various metrics project scripts.
If you're worried about denial of service issues on the DirPort, maybe the simple answer is to turn off the DirPort? I think the only real impact might have something to do with whether old clients believe that you're a usable guard.
--Roger
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 08/16/2017 12:22 AM, Roger Dingledine wrote:
On Tue, Aug 15, 2017 at 11:52:31PM +0200, Toralf Förster wrote:
Does a particular Tor server/client will open more than 1 connection at a time from to the DirPort ?
I think we definitely want to support that in the protocol.
I'm not sure whether it happens right now, but it might.
But preventing it from happening is likely bad.
Note that most clients use the ORPort for fetching directory stuff, and that's heading towards "all clients" as people upgrade and stop using weird configurations. So the DirPort is mainly used on authorities (by relays that fetch dir stuff or upload relay descriptors), and by auxiliary tools like stem and the various metrics project scripts.
If you're worried about denial of service issues on the DirPort, maybe the simple answer is to turn off the DirPort? I think the only real impact might have something to do with whether old clients believe that you're a usable guard.
understood - removed those iptables rules - -- Toralf PGP C4EACDDE 0076E94E -----BEGIN PGP SIGNATURE----- iI0EAREIADUWIQQaN2+ZSp0CbxPiTc/E6s3eAHbpTgUCWZR6CxccdG9yYWxmLmZv ZXJzdGVyQGdteC5kZQAKCRDE6s3eAHbpTgNjAP0QUqGlvZdmppzthH85VXkS43xO iQRyNlODzRe5Jf9TpgD+JX+/bCuuOH/qh+Jdd9GrDBJZ9uvjtQX3OKF9C+u9oKo= =9bQM -----END PGP SIGNATURE-----
On Tue, 15 Aug 2017 23:52:31 +0000, Toralf Förster wrote: ...
Does a particular Tor server/client will open more than 1 connection at a time from to the DirPort ?
Even if not per se, multiple (old) clients behind a common NAT may do so. Andreas -- "Totally trivial. Famous last words." From: Linus Torvalds <torvalds@*.org> Date: Fri, 22 Jan 2010 07:29:21 -0800
Note that most clients use the ORPort for fetching directory stuff, and that's heading towards "all clients" as people upgrade and stop using weird configurations.
If you're worried about denial of service issues on the DirPort, maybe the simple answer is to turn off the DirPort? I think the only real impact might have something to do with whether old clients believe that you're a usable guard.
What about fallback directory mirrors? Does fallback traffic go over the ORPort too? Is it safe to disable the DirPort on a fallback relay?
On 16 Aug 2017, at 14:22, tor <tor@anondroid.com> wrote:
Note that most clients use the ORPort for fetching directory stuff, and that's heading towards "all clients" as people upgrade and stop using weird configurations.
If you're worried about denial of service issues on the DirPort, maybe the simple answer is to turn off the DirPort? I think the only real impact might have something to do with whether old clients believe that you're a usable guard.
What about fallback directory mirrors? Does fallback traffic go over the ORPort too?
Bootstrapping clients always use the ORPort to talk to fallbacks. (Both features were introduced in 0.2.8.) Bootstrapping relays use the DirPort to talk to fallbacks.
Is it safe to disable the DirPort on a fallback relay?
If you disable the DirPort, the fallback will be excluded when we next rebuild the list. We are working on ORPort-only fallbacks, but it's low priority, because the existing system works. To make it work, we need to: #18856: teach stem to talk ORPort so we can check the fallback, and #19129: modify the fallback checking script to allow ORPort-only fallbacks T -- Tim Wilson-Brown (teor) teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
participants (8)
-
Andreas Krey -
eric gisse -
Nagaev Boris -
niftybunny -
Roger Dingledine -
teor -
tor -
Toralf Förster