[tor-relays] connlimit: better to use "DROP" or "REJECT --reject-with tcp-reset"?

teor teor2345 at gmail.com
Mon Jan 15 03:21:43 UTC 2018 

> On 10 Jan 2018, at 16:39, teor <teor2345 at gmail.com> wrote:
> 
> Hi,
> 
> Still having load trouble on your relay?
> Try dropping rapid connection attempts.
> 
>> On 9 Jan 2018, at 16:32, teor <teor2345 at gmail.com> wrote:
>> 
>> I've tried various ways of limiting Tor's RAM and CPU.
>> MaxAdvertisedBandwidth was effective, as was limiting Tor's file
>> descriptors and DisableOOSCheck 1. MaxMemInQueues had a minor impact.
>> 
>> So I decided to use a firewall to limit connections.
>> 
>> ...
>> 
>> So I set up this firewall rule:
>> 
>> /sbin/iptables -A INPUT -p tcp --syn ! --dport 22 -m connlimit --connlimit-above 100 -j DROP
>> 
>> You should replace 22 with the list of ports you use for SSH and other
>> important connections, just in case.
>> 
>> ...
> 
> This worked well, but Tor was still using a lot of CPU with its OOS checks.
> And it was using 4GB of RAM, which is good, but not sustainable on my machine.
> 
> Today, I added these firewall rules to drop rapid connection attempts
> from the same IP address, even if there are under 100 connections:
> 
> iptables -I INPUT -p tcp --syn ! --dport 22 -m state --state NEW -m recent --set
> iptables -I INPUT -p tcp --syn ! --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 100 -j DROP
> 
> They drop connection attempts after there have been 100 attempts in a minute.
> So if there were 100 clients, that would be 1 connection per client per minute.
> 
> This reduced Tor's CPU usage and OOS warnings within a few minutes.
> I'm hoping RAM will go down over time.
> 
> I made the rules permanent using:
> 
> iptables-save > /etc/iptables/rules.v4
> 
> This might be Debian-specific.

I tried a few configs over the past week.

Now I have:
* MaxMemInQueues 2 GB
* 15000 file descriptors per tor instance
* DisableOOSCheck 0
* A limit of 20 established connections per IP
* A limit of 6 connection attempts per IP per minute

I left this over the weekend, and my relays are stable, and using:
* 3 GB - 6 GB RAM
* 5000 - 11000 file descriptors
* 50 - 120% CPU

They are also not logging too many OOS warnings or other warnings,
apart from the normal "assign to cpuworker failed" and "attempt to
establish rendezvous".

Thanks to everyone for your suggestions in this and other threads.

We are also working on a few different ways to limit the load in Tor.

T

--
Tim / teor

PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180115/fd24ada8/attachment.sig>

More information about the tor-relays mailing list