[tor-relays] Checking dos mitigation
Felix
zwiebel at quantentunnel.de
Tue Feb 13 20:27:11 UTC 2018
Hi everybody
I tried several setups for dos mitigation since the dos code is
available and came to the following results, where I think 5) is
promising and 2) or 3) are fine.
1) Drops off consensus for 1-2hours and returns w/o hsdir:
DOS_CC_CIRCUIT_BURST_DEFAULT 90
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100
FW: 20 connects per /32 ip, rate limited to 3 per sec.
2) Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 50
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
FW: 20 connects per /32 ip, rate limited to 3 per sec.
3) Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 20
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 20
FW: 20 connects per /32 ip, rate limited to 3 per sec.
4) Too conservative:
DOS_CC_CIRCUIT_BURST_DEFAULT 10
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 10
FW: 20 connects per /32 ip, rate limited to 3 per sec.
5) Good (newly):
DOS_CC_CIRCUIT_BURST_DEFAULT 50
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
FW: 100 connects per /32 ip, rate limited to 15 per sec.
Some hack to grab dos ips, their counts and defenses shows the well
known ones like a hand full new ones. But no surprises.
--
Cheers, Felix
More information about the tor-relays
mailing list