[tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

teor teor2345 at gmail.com
Tue Jan 9 05:32:52 UTC 2018

> On 6 Jan 2018, at 06:05, Zack Weinberg <zackw at cmu.edu> wrote:
>> On Fri, Jan 5, 2018 at 1:44 PM, tor <tor at anondroid.com> wrote:
>> For relay operators using iptables connlimit to mitigate DoS attacks (or increased load from new clients), is it better for the Tor network to use "DROP" rules, or should we use something like "REJECT --reject-with tcp-reset"?
> REJECT is friendlier to clients that are not misbehaving but happen to
> be caught in the crossfire, and to the Internet as a whole.
> I personally think DROP should only ever be used as a desperation
> measure when the DoS load is so high that you can't even afford to
> send RSTs.

I've tried various ways of limiting Tor's RAM and CPU.
MaxAdvertisedBandwidth was effective, as was limiting Tor's file
descriptors and DisableOOSCheck 1. MaxMemInQueues had a minor impact.

So I decided to use a firewall to limit connections.

If I send RST, a Tor client will immediately try another guard.
If I DROP, the Tor client will timeout before trying another guard.

For misbehaving clients, I want to DROP.
For regular clients, I want to RST. (Or let them connect.)

So I want to set a high connection limit, and use DROP.

I see up to 700 connections per IP, and I see normal residential
IP addresses start at around 80. I don't think that clients with more
than 100 connections per IP will get much bandwidth anyway.

I used this command:

netstat -n | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head

All the connections over 100 were at Hetzner, OVH, and Leaseweb.
(This command gives /16s for IPv6, but these clients aren't
using IPv6.)

So I set up this firewall rule:

/sbin/iptables -A INPUT -p tcp --syn ! --dport 22 -m connlimit --connlimit-above 100 -j DROP

You should replace 22 with the list of ports you use for SSH and other
important connections, just in case.

And I installed iptables-persistent to save the rules.
(It might be Debian-specific).

After I set up the firewall, the connections slowly dropped from 700
down to around 100. It only affects new connections, so it might take
a while.


Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180109/9b23883e/attachment-0001.sig>

More information about the tor-relays mailing list