[tor-relays] max TCP interruption before Tor circuit teardown?

David Serrano tor at dserrano5.es
Tue Oct 22 18:52:56 UTC 2013 

First post to this mailing list. I joined the network 3 days ago with a Via
Nehemia system, 1 GHz, 256 Mb RAM, RelayBandwidthRate 500 KB.


On 2013-10-20 09:42:01 (-0700), Gordon Morehouse wrote:
> 
> First, during a SYN flood type overload, some peers which have
> *existing* circuits built through the relay and are sending SYNs as
> normal traffic, will stochastically get "caught" in the filter and
> banned for a short time.  If these hosts already have circuits open
> through the relay which is overloaded, I would prefer to preserve
> those circuits rather than break them.  My defensive strategy versus
> overload here is to throttle new circuit creation requests, *not* to
> break existing circuits.
> 
> So here's the $64,000 question:
> 
> If a tor relay has a circuit built through a peer, and the peer starts
> dropping 100% of packets, how long will it take before the relay with
> the circuit "gives up" on the circuit and tears it down?  I want to
> set my temp ban time *below* this timeout.  Thus, unlucky peers that
> were caught in the filter and have circuits already built through the
> relay they will experience a brief performance degradation, but they
> won't lose their active circuits through the overloaded relay, and in
> the meantime hopefully the overload condition is becoming resolved.

I can think of two approaches to your problem:

- You can 'iptables -m state --state ESTABLISHED -J ACCEPT' early in your
ruleset, so all existing circuits will be allowed. I understand this is pretty
standard practice and I'm somewhat surprised that you're not already doing
it. Your SYN throttling would appear later in the ruleset. You could be
aggresive at this point since you know that you won't break any circuit.

- Besides this, you can 'iptables -p tcp --syn -J SYN_THROTTLE' and populate a
new SYN_THROTTLE chain with your desired rules to tell peers to calm down.
Only SYN packets will enter this chain, the established circuits won't match
this rule and will traverse the rest of the ruleset unaffected.

Since I run a new node and discovering this new world I'm somewhat concerned
that once I gain the Stable flag I'll be SYN flooded too so I'll pay attention
to this too.


-- 
 David Serrano
 GnuPG id: 280A01F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20131022/364a61a6/attachment.sig>

More information about the tor-relays mailing list