[tor-relays] DoS mitigation
Fabian A. Santiago
fsantiago at garbage-juice.com
Fri Feb 16 16:56:09 UTC 2018
Hello,
I've been browsing the list archives looking for mentions of DOS mitigation. last night my exit relay went offline and when i logged into it, CPU was sitting at 100% and atlas reported mine as down and another service i have checking up time also did as well. so i rebooted my server and it was fine.
i found this thread:
1) Drops off consensus for 1-2hours and returns w/o hsdir:
DOS_CC_CIRCUIT_BURST_DEFAULT 90
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100
FW: 20 connects per /32 ip, rate limited to 3 per sec.
2) Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 50
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
FW: 20 connects per /32 ip, rate limited to 3 per sec.
3) Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 20
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 20
FW: 20 connects per /32 ip, rate limited to 3 per sec.
4) Too conservative:
DOS_CC_CIRCUIT_BURST_DEFAULT 10
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 10
FW: 20 connects per /32 ip, rate limited to 3 per sec.
5) Good (newly):
DOS_CC_CIRCUIT_BURST_DEFAULT 50
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
FW: 100 connects per /32 ip, rate limited to 15 per sec.
are these good mitigations?
what else can or should be done? limiting memory use helpful? I'm running on ubuntu 16.04 and am using ufw for my firewall currently. are there any other suggestions given my platform?
thanks for your help.
--
Thanks,
Fabian S.
OpenPGP: 3C3FA072ACCB7AC5DB0F723455502B0EEB9070FC
More information about the tor-relays
mailing list