[tor-relays] Use OutboundBindAddress on multi-instance tor servers

[nusenu]

Hi Anders,

> I'm considering not setting OutboundBindAddress on the dotsrc exit relays (
> https://metrics.torproject.org/rs.html#search/dotsrc). Wouldn't it be
> better if all outgoing connections came from the same IP (i.e do not set
> OutboundBindAddress), for the sake of making correlation analysis harder?
> Say you observe an exit connection to example.com:443. If all the dotsrc
> relays used 185.129.61.1 as src IP, you couldn't tell which of our relays
> made the connection.

There are two settings that can help you with achieving both goals at the same time:

* use the inbound IP for connections to other relays: OutboundBindAddressOR
* use a single source IP for connections exiting the network: OutboundBindAddressExit

there are other points to consider though: if all users exit through the same IP,
will the web become less accessible for tor users because one bad user ruined the
IP reputation for all users?


> On a related note, wrt ongoing ddos, here's something that might be useful
> to exit relay operators:
> What we observed, was tens of thousands open exit connections to a few IP

This is a known issue and there are issues on gitlab.tpo for it and 3rd party tools
for exit operators.

> One way to solve this, is to do some firewall foo, but I really don't like
> connection tracking (unnecessary CPU cycles). An alternative solution that
> works great for us, is to lower the net.ipv4.ip_local_port_range from the
> default of about 30.000 ports. E.g:
> # sysctl -w net.ipv4.ip_local_port_range="64000 65535"

I don't think that it is a good approach to set such a low hard limit for connections
to any single destination.


kind regards,
nusenu
-- 
https://nusenu.github.io