[tor-relays] max TCP interruption before Tor circuit teardown?
David Serrano
tor at dserrano5.es
Tue Oct 29 14:01:40 UTC 2013
On 2013-10-27 16:35:43 (-0700), Gordon Morehouse wrote:
>
> And, after the boot, I've simulated an aggressive host from another
> machine using hping, and here's the output of 'iptables -L' after
> fail2ban banned the host (LAN IP partly redacted to settle my
> paranoia): http://pastebin.com/1L62z23b
That resulting ruleset will break circuits. Packets from flooding hosts won't
have a chance to reach the '--state ESTABLISHED' rule since they are dropped
before that, from within the fail2ban-tor-syn-flood chain.
> > However, do you need fail2ban now that you are throttling SYNs
> > without affecting circuits?
>
> Uncertain. I'd added it as an adjunct to the throttling, hoping a
> temporary placement into the DROP chain would save cycles and memory
> as REJECT ICMP packets would no longer be sent
But you can drop packets in the SYN_THROTTLE chain instead of rejecting them,
without fail2ban. Or you can accept them until a threshold is reached, then
log/reject them up to a second threshold, then silently drop them.
--
David Serrano
GnuPG id: 280A01F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20131029/67acdc8a/attachment.sig>
More information about the tor-relays
mailing list