[tor-relays] DoS attacks are real (probably)
Scott Bennett
bennett at sdf.org
Tue Dec 12 05:38:31 UTC 2017
Alex Xu <alex_y_xu at yahoo.ca> wrote:
> Quoting Felix (2017-12-11 17:07:30), as excerpted
> > Hi Alex
> >
> > Great points.
> >
> > > conntrack -L -p tcp --dport 9001 | awk '{print $5}' | sort | uniq -c | sort -n
> >
> > On FreeBSD one can do:
> >
>
> yeah, the optimal rule would ban "bad IPs" after some threshold of
> connections, like "if one IP makes >1 conn/sec for at least 1 minute ban
> for 1 hour" or something. I'm hoping to fix the underlying issue in Tor
> so that low-bandwidth attacks like these are less effective.
FWIW, the method that Felix posted should also work in DragonflyBSD
and NetBSD. It may also work in OpenBSD, but the caveat is that the OpenBSD
project has continued to develop its implementation of pf, so I don't know
whether Felix's solution still works in OpenBSD. The other three BSDs' pf
support has not been synchronized with that of the originating project
(OpenBSD) for many years. Perhaps an OpenBSD tor relay operator can comment
here on this matter.
Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet: bennett at sdf.org *xor* bennett at freeshell.org *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good *
* objection to the introduction of that bane of all free governments *
* -- a standing army." *
* -- Gov. John Hancock, New York Journal, 28 January 1790 *
**********************************************************************
More information about the tor-relays
mailing list