[tor-relays] blocking >1 connections per ip address onto Tor DirPort
Felix
zwiebel at quantentunnel.de
Thu Aug 17 09:42:05 UTC 2017
Hi everybody
>>> Does a particular Tor server/client will open more than 1
>>> connection at a time from to the DirPort ?
>> If you're worried about denial of service issues on the DirPort,
>> maybe the simple answer is to turn off the DirPort? I think the
>> only real impact might have something to do with whether old
>> clients believe that you're a usable guard.
> understood - removed those iptables rules
Good discussion. My experience is protecting the dirport makes
sense to avoid ddos attempts.
During my Debian times this rule worked fine for me:
/sbin/iptables -A INPUT -p tcp -d $IPEXT --dport 80 -j ACCEPT
-m limit --limit 5/s --limit-burst 50
On FreeBSB I go with something like:
pass in on $IFEXT inet proto tcp from !<blockDIR> to $IPEXT port 80
flags S/SA keep state (max 150,max-src-states 50,max-src-conn 50,
max-src-conn-rate 20/10,overload <blockDIR>)
# release the blockDIR after some hours
pfctl -t blockDIR -T expire 7200 # hourly cron job
--
Cheers, Felix
More information about the tor-relays
mailing list