[tor-relays] DoS attacks on multiple relays

Valter Jansons valter.jansons at gmail.com
Tue Dec 5 12:00:06 UTC 2017 

A little relay node of a consensus around 220 checking in here. I am seeing
pretty much the same as others are reporting - 11 on 188.214.30.0/24 and 10
on 217.12.223.0/24.
The AS is called THC Projects SRL. They seem to provide VPS hosting among
other things and ipinfo.io/AS51177 <https://ipinfo.io/AS51177#domains>
reports that they host a lot of domains over there as well.
Not sure how seriously one should take this, but it's interesting for sure
regardless.

-- 4096R/A83CE748 Valters Jansons

On Tue, Dec 5, 2017 at 1:50 PM x9p <tor at x9p.org> wrote:

>
> my second and third positions are similar:
>
>       9 217.12.223.0/24 (family and contact info set)
>       8 178.16.208.0/24 (family and contact info set, too)
>
>
> > Interesting to see. I have similar stats. 10 connections from
> > 188.214.30.0/24, second up 8 connections from 178.16.208.0/24. Thanks!
> >
> > On Tue, Dec 5, 2017 at 4:27 PM, x9p <tor at x9p.org> wrote:
> >
> >>
> >> first measure on a good day how many connection per /24 your exit/relay
> >> have, excluding these with 1 2 or just 3 connections:
> >>
> >> # netstat -tupan | grep ESTABLISHED | grep /tor | awk '{print $5}' | awk
> >> -F: '{print $1}' | awk -F. '{print $1"."$2"."$3}' | sort | uniq -c |
> >> sort
> >> | egrep -v '      1 |      2 |      3 '
> >>
> >> with this information in hand, double the max of it (mine was 10
> >> connections from 188.214.30.0/24):
> >>
> >>      10 188.214.30
> >>
> >> iptables -A INPUT -i eth0 -p tcp -m connlimit --connlimit-above 20
> >> --connlimit-mask 24 -j REJECT --reject-with tcp-reset
> >>
> >> cheers.
> >>
> >> x9p
> >>
> >> >> connlimit per /24. it does more good than evil.
> >> >
> >> > Any guidance on the specifics? Like how many concurrent connections to
> >> > allow per /24? Not sure what's expected from legitimate user traffic
> >> > through the relay... don't want to make things worse.
> >> > _______________________________________________
> >> > tor-relays mailing list
> >> > tor-relays at lists.torproject.org
> >> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >> >
> >>
> >>
> >> _______________________________________________
> >> tor-relays mailing list
> >> tor-relays at lists.torproject.org
> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >>
> >
> >
> >
> > --
> > Regardless, I hope you're well and happy -
> > Aneesh
> > _______________________________________________
> > tor-relays mailing list
> > tor-relays at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> >
>
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171205/055f167e/attachment.html>

More information about the tor-relays mailing list