[tor-relays] DoS attacks on multiple relays
x9p
tor at x9p.org
Wed Dec 6 02:24:26 UTC 2017
> @ x9p:
>
>> # netstat -tupan | grep ESTABLISHED | grep /tor | awk '{print $5}' | awk
>> -F: '{print $1}' | awk -F. '{print $1"."$2"."$3}' | sort | uniq -c |
>> sort
>> | egrep -v ' 1 | 2 | 3 '
>>
>> with this information in hand, double the max of it (mine was 10
>> connections from 188.214.30.0/24):
>>
>> 10 188.214.30
>>
>> iptables -A INPUT -i eth0 -p tcp -m connlimit --connlimit-above 20
>> --connlimit-mask 24 -j REJECT --reject-with tcp-reset
>
> Thank you! This was extremely helpful.
>
> In our case we found a handful of IPs that had *thousands* of
> concurrent connections on several of our relays. The offending IPs
> were not in the consensus. After restarting the Tor service, these
> suspect connections come back rapidly, again across several of our
> relays. Since our relays are all in the same declared family, it is
> very difficult to see how this traffic is legitimate. If it's valid
> Tor clients, they are behaving very strangely, and in either case we
> need to limit their impact. As such we've implemented connlimits by
> /24 as suggested (with a much higher limit to err on the side of not
> rejecting valid traffic). We can already see that this has improved
> our situation.
nice to hear :)
cheers.
x9p
More information about the tor-relays
mailing list