[tor-relays] Fwd: Re: Bridges under DDoS

Mon Nov 23 16:18:14 UTC 2020

Forwarding to mailing list since OP has replied to my e-mail address,
and not the list.

---------- Forwarded message ----------
From: William Kane <ttallink at googlemail.com>
Date: Mon, 23 Nov 2020 16:07:39 +0000
Subject: Re: Re: [tor-relays] Bridges under DDoS
To: BRBfGWMz <brbfgwmz at concealed.company>

Dear BRBfGWMz, you can use this script I made a while ago - please
read the entire message carefully or you risk locking yourself out of
the system.

Here you go:

#!/bin/bash

IPTABLES="/usr/sbin/iptables"

# Flush all old rules and tables.

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X

# Establish default policies.

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

# Unconditionally allow local traffic.

$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow already established connections.

$IPTABLES -A INPUT -i <NETWORK_INTERFACE> -m state --state ESTABLISHED -j ACCEPT

# Allow Tor ORPort traffic.

$IPTABLES -A INPUT -i <NETWORK_INTERFACE> -p tcp --dport <YOUR_ORPORT> -j ACCEPT

Note that this is for a normal Tor relay, not a bridge - for a bridge,
just opening the inbound obfs4proxy port is enough, though.

You will have to make adjustments, namely specifying the name of your
public network interface ("ip addr" or "ifconfig", either one will
work on modern distributions). Make sure to also open the port sshd,
your SSH daemon, bound to or you will be locked out from the system
after executing the script (!).

If you are on Arch Linux, you can save the script to
/etc/iptables/iptables.rules (execute the script and then run
"iptables-save > /etc/iptables/iptables.rules", after that the only
thing left to do is to enable the according systemd service unit to
automatically load the rules on boot ("systemctl enable iptables").

If on Debian, you can specify a script to run as soon as your public
network interface reaches the "up" state, directly in your network
configuration.

Note that this will just drop unknown incoming connections (ICMP
traffic as well, so you won't be able to ping your server anymore),
usually the best measure, you could also configure it to reject
unknown TCP packets but this will generate additional outbound traffic
(which is what an attacker might want).

Please also note that if you are running a IPv6 enabled relay, you
will have to use ip6tables instead of iptables - you will also have to
allow all incoming ICMPv6 traffic through ip6tables, with plain IPv4
you don't really need to allow ICMP packets, with IPv6, it's
absolutely required.

Hope I helped, never be afraid to ask questions, I am here to help.

2020-11-22 21:12 GMT, BRBfGWMz <brbfgwmz at concealed.company>:
> Are the locations for the relays that are set up during the process of
> setting
> up relays for a single machine truely random (or pseudorandom), or is there
> any dependence on the ip/location of my desktop?
>
> On Tue, Nov 17, 2020 at 08:48 AM, William Kane <ttallink at googlemail.com>
> wrote:
>
>> If your server is not responding, no harm done (likely already done if
>
>> you have iptables set up to drop unknown (established flag not set)
>
>> incoming traffic.).
>
>>
>
>> If it's somehow maxing out your connection speed, then time to talk to
>
>> your upstream provider / hosting company - very likely they already
>
>> have anti dos equipment on their network, and many would just re-route
>
>> a customer through it until the attack stops, but it might cost you
>
>> some money.
>
>>
>
>> 2020-11-13 17:03 GMT, Jonas <jonasdietrich at ctemplar.com>:
>
>> > According to packetflow traces, roughly 26,000 unique IPv4 from 85
>> countries
>
>> > executing a SYN flood attack on TCP/9001. None of my bridges have 9001
>> open
>
>> > nor respond to this port. The attacks continue to this day.
>
>> >
>
>> > Danke.
>
>> >
>
>> > Jonas
>
>> > _______________________________________________
>
>> > tor-relays mailing list
>
>> > tor-relays at lists.torproject.org
>
>> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>> >
>
>> _______________________________________________
>
>> tor-relays mailing list
>
>> tor-relays at lists.torproject.org
>
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>>
>
> \-- Sent using MsgSafe.io's Free Plan Private, encrypted, online
> communication
> For everyone. https://www.msgsafe.io
>
>
>