[tor-relays] DoS attacks on multiple relays

Torix torix at protonmail.com
Tue Dec 5 16:06:51 UTC 2017 

Me, too: 4 on 178.16.208.0/24 and 10 on  217.12.223.0/24

Sent with [ProtonMail](https://protonmail.com) Secure Email.

> -------- Original Message --------
> Subject: Re: [tor-relays] DoS attacks on multiple relays
> Local Time: December 5, 2017 7:00 AM
> UTC Time: December 5, 2017 12:00 PM
> From: valter.jansons at gmail.com
> To: tor-relays at lists.torproject.org
>
> A little relay node of a consensus around 220 checking in here. I am seeing pretty much the same as others are reporting - 11 on 188.214.30.0/24 and 10 on 217.12.223.0/24.
> The AS is called THC Projects SRL. They seem to provide VPS hosting among other things and [ipinfo.io/AS51177](https://ipinfo.io/AS51177#domains) reports that they host a lot of domains over there as well.
> Not sure how seriously one should take this, but it's interesting for sure regardless.
>
> -- 4096R/A83CE748 Valters Jansons
>
> On Tue, Dec 5, 2017 at 1:50 PM x9p <tor at x9p.org> wrote:
>
>> my second and third positions are similar:
>>
>>       9 217.12.223.0/24 (family and contact info set)
>>       8 178.16.208.0/24 (family and contact info set, too)
>>
>>> Interesting to see. I have similar stats. 10 connections from
>>> 188.214.30.0/24, second up 8 connections from 178.16.208.0/24. Thanks!
>>>
>>> On Tue, Dec 5, 2017 at 4:27 PM, x9p <tor at x9p.org> wrote:
>>>
>>>>
>>>> first measure on a good day how many connection per /24 your exit/relay
>>>> have, excluding these with 1 2 or just 3 connections:
>>>>
>>>> # netstat -tupan | grep ESTABLISHED | grep /tor | awk '{print $5}' | awk
>>>> -F: '{print $1}' | awk -F. '{print $1"."$2"."$3}' | sort | uniq -c |
>>>> sort
>>>> | egrep -v '      1 |      2 |      3 '
>>>>
>>>> with this information in hand, double the max of it (mine was 10
>>>> connections from 188.214.30.0/24):
>>>>
>>>>      10 188.214.30
>>>>
>>>> iptables -A INPUT -i eth0 -p tcp -m connlimit --connlimit-above 20
>>>> --connlimit-mask 24 -j REJECT --reject-with tcp-reset
>>>>
>>>> cheers.
>>>>
>>>> x9p
>>>>
>>>> >> connlimit per /24. it does more good than evil.
>>>> >
>>>> > Any guidance on the specifics? Like how many concurrent connections to
>>>> > allow per /24? Not sure what's expected from legitimate user traffic
>>>> > through the relay... don't want to make things worse.
>>>> > _______________________________________________
>>>> > tor-relays mailing list
>>>> > tor-relays at lists.torproject.org
>>>> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>> >
>>>>
>>>>
>>>> _______________________________________________
>>>> tor-relays mailing list
>>>> tor-relays at lists.torproject.org
>>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>>
>>>
>>>
>>>
>>> --
>>> Regardless, I hope you're well and happy -
>>> Aneesh
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>>
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20171205/64cbd8bd/attachment-0001.html>

More information about the tor-relays mailing list