[tor-relays] Detecting Network Attack [re: exit synflooded]

[grarpamp]

> kernel: nf_conntrack: table full, dropping packet

If rules are dropping exit traffic based on other than
traffic content, it's very hard to say other users are
not adversly affected with the same, likely quite
unsophisticated, hammer.
And doing it based on content usually comes with
major legal hurdles, besides being arbitrary.
And both ways can get you dropped with badexit flag.
Further, kernel dropping of packets is not signaled back
into tor daemons for exitpolicy management therein,
much less back to clients to avoid the censorship.
And dropped packets hurts performance.
Exitpolicy reject is the preferred method.
Don't like the exit traffic, don't advertise to clients
that you will carry it outbound in the first place.

Please move this talk about tor exit traffic to a new thread
or put it back to the first one where it came from.