[tor-relays] DDOS alerts from my provider
boldsuck
lists at for-privacy.net
Tue Aug 20 13:15:32 UTC 2024
On Sonntag, 14. Juli 2024 15:54:45 CEST Toralf Förster via tor-relays wrote:
> On 7/12/24 00:14, boldsuck wrote:
> > The idea is not bad. But can you simply discard every ≤ 50byte packet?
>
> Probably not
>
> > I drop fragments and uncommon TCP MSS values.
> > ip frag-off & 0x1fff != 0 counter drop
>
> IIUC then using conntrack via iptables means that this filter cannot be
> implemented, right?
I have the above rule in 'chain ingress' and
later in 'chain prerouting' & 'chain input' I have ct rules. Bo and I
https://gitlab.torproject.org/tpo/community/support/-/issues/40093
used this nftables skeleton from the blog below for our rules.
> > tcp flags syn tcp option maxseg size 1-536 counter drop
>
> Is 536 == 514 + 22 (Tor packet size + ip header) ? It is my
> understanding that Tor send out TCP/IP small packets beside the 514
> bytes sized.
So my nftables skeleton came from the discussion on this blog:
https://samuel.forestier.app/blog/security/nftables-hardening-rules-and-good-practices
Quote about MSS is there:
"According to https://en.wikipedia.org/wiki/Maximum_segment_size
the default TCP Maximum Segment Size is 536 octets (bytes)."
--
╰_╯ Ciao Marco!
Debian GNU/Linux
It's free software and it gives you freedom!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 3872 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240820/e982aa17/attachment.sig>
More information about the tor-relays
mailing list