[tor-relays] max TCP interruption before Tor circuit teardown?

Gordon Morehouse gordon at morehouse.me
Sun Oct 27 23:35:43 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

David Serrano:
> On 2013-10-27 15:00:10 (-0700), Gordon Morehouse wrote:
>> 
>> Here's my 'iptables -L' output, on pastebin because it's a mess
>> when formatted for email:  http://pastebin.com/f1VZNeTF
>> 
>> That's not a fresh boot, though, I did:
>> 
>> 'iptables -F' 'service fail2ban reload'
>> 
>> and then ran the iptables commands by hand, in order.
> 
> Things may potentially be different after a reboot, so I'd
> recommend rebooting now and see how the firewall ends up. Right now
> it seems that fail2ban would ban and break existing circuits. It
> all depends on what rules it inserts into its chain.

Here's the output of 'iptables -L' after a fresh boot:
http://pastebin.com/b0PUbJJX

And, after the boot, I've simulated an aggressive host from another
machine using hping, and here's the output of 'iptables -L' after
fail2ban banned the host (LAN IP partly redacted to settle my
paranoia): http://pastebin.com/1L62z23b

Incidentally, this experiment confirmed that once fail2ban has banned
a host, further packets are not logged such that fail2ban must parse
them, which was an open question and is now answered, and answered the
way I wanted.

> However, do you need fail2ban now that you are throttling SYNs
> without affecting circuits?

Uncertain.  I'd added it as an adjunct to the throttling, hoping a
temporary placement into the DROP chain would save cycles and memory
as REJECT ICMP packets would no longer be sent; in the only major Tor
SYN flood I've experienced since adding fail2ban to the mix (and
reducing the SYN limits from 4/sec burst 10 to 3/sec burst 6),
fail2ban eventually fell far enough behind in parsing logs of those
SYNs exceeding the limits that it could not catch up and stopped
banning hosts.  The node survived the flood for the first time without
crashing, but fail2ban was working for the first 20-30 min or so IIRC,
so that may have helped, or it may have just been the reduction in the
SYN throttle limits.

I have an open bug in the project tracker[1] regarding figuring out
what to do with fail2ban, and one of the options is to get rid of it,
but I don't know enough yet.

1. https://www.pivotaltracker.com/s/projects/917796

Thanks a ton for your help!

Best,
- -Gordon M.


-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJSbaNMAAoJED/jpRoe7/ujSngH/1B1u3C1PjQHa77/YtvRRUy9
ZmzGmbNmZFOwNIdFA/VRCBPsTmluN5FemVzjRVTpPBFhlVmBbc6V4pgvtdyWGVUg
Obs+za5ZZU1ccws+ZfG5pqvwB6UPpMY3mf38JwUuiUvQAVKNCLqvk9HulhCF9Ams
F/kexeotFYm6nFUq4CJ0nA6Z3O8KQhCFEHMY8Ercj92UgfeTMvP/GxTS9qoGt2c6
Fyy+4xYO1v8PHY6NhcU9bPOscngWLj3Wq6DsmNYqCOv5B5aYuM+ycVpqjYsRT5hr
gF6eFZvl37BnQvS2fnXhw7ppT5wUbzgF0O3LDuM5Bv5Rj8P/397oE6Mfuu5RMXo=
=IiEm
-----END PGP SIGNATURE-----


More information about the tor-relays mailing list