[tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

Zack Weinberg zackw at cmu.edu
Fri Jan 5 19:05:28 UTC 2018

On Fri, Jan 5, 2018 at 1:44 PM, tor <tor at anondroid.com> wrote:
> For relay operators using iptables connlimit to mitigate DoS attacks (or increased load from new clients), is it better for the Tor network to use "DROP" rules, or should we use something like "REJECT --reject-with tcp-reset"?

REJECT is friendlier to clients that are not misbehaving but happen to
be caught in the crossfire, and to the Internet as a whole.

I personally think DROP should only ever be used as a desperation
measure when the DoS load is so high that you can't even afford to
send RSTs.


More information about the tor-relays mailing list