[tor-relays] Checking dos mitigation

teor teor2345 at gmail.com
Tue Feb 13 23:25:29 UTC 2018 


> On 14 Feb 2018, at 07:27, Felix <zwiebel at quantentunnel.de> wrote:
> 
> Hi everybody
> 
> I tried several setups for dos mitigation since the dos code is
> available and came to the following results, where I think 5) is
> promising and 2) or 3) are fine.

You can adjust these options without recompiling using the
DoS* torrc options from the man page:
https://gitweb.torproject.org/tor.git/tree/doc/tor.1.txt#n2755

Otherwise, your relay will use the options from the consensus.
If there are no options set in the consensus, your relay will
use the defaults in the code. (We are updating the defaults in
the man page, see ticket #25236.)

> 1) Drops off consensus for 1-2hours and returns w/o hsdir:
> DOS_CC_CIRCUIT_BURST_DEFAULT 90
> DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100
> FW: 20 connects per /32 ip, rate limited to 3 per sec.

This happened to 1/6 of my guards too, we're trying to track down
the cause in #24902.

It seems to happen by chance, otherwise, the lower settings
would cause it too.

Your firewall may be responsible, my relay went back into the
consensus once I changed my firewall.

> 2) Good (stable):
> DOS_CC_CIRCUIT_BURST_DEFAULT 50
> DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
> FW: 20 connects per /32 ip, rate limited to 3 per sec.
> 
> 3) Good (stable):
> DOS_CC_CIRCUIT_BURST_DEFAULT 20
> DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 20
> FW: 20 connects per /32 ip, rate limited to 3 per sec.
> 
> 4) Too conservative:
> DOS_CC_CIRCUIT_BURST_DEFAULT 10
> DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 10
> FW: 20 connects per /32 ip, rate limited to 3 per sec.
> 
> 5) Good (newly):
> DOS_CC_CIRCUIT_BURST_DEFAULT 50
> DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
> FW: 100 connects per /32 ip, rate limited to 15 per sec.
> 
> Some hack to grab dos ips, their counts and defenses shows the well
> known ones like a hand full new ones. But no surprises.

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
------------------------------------------------------------------------




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180214/fe68f467/attachment.sig>

More information about the tor-relays mailing list