[tor-relays] DDOS alerts from my provider

Scott Bennett bennett at sdf.org
Thu Jul 11 07:38:34 UTC 2024 

"Rafo \(r4fo.com\) via tor-relays" <tor-relays at lists.torproject.org> wrote:

>             More specifically, I?m running a middle relay on Debian 12    ---- On Tue, 09 Jul 2024 13:46:51 +0200  lists at for-privacy.net<lists at for-privacy.net> wrote ---- On Montag, 8. Juli 2024 19:34:51 CEST Rafo (r4fo.com) via tor-relays wrote: > But this week I?ve received 2 DDoS alerts from my provider > (Netcup), both are ~3 gigabits. They seem to be coming from other Tor > relays.I?m running an Invidious like instance on my server (which uses > around 600 megabits) but I have a 2.5 gigabit port. So I configured my Tor > relay to use 300-400 megabits.I?m not sure where that 3 gigabit of data > comes from.I have lowered my advertised bandwidth to 100 megabits, would > that be enough to prevent these kind of issues?Kind regards,Rafo  Reducing the advertised bandwidth does not help. ;-) In general, one tor  instance will rarely reach 100 megabits.  There is little you can do on the server against targeted DDoS. But you can  stop IPs with a lot of connections to your tor daemon using dynamic exit  police? or dyn. IP/nftable rules?. For targeted help, you should specify the  type of relay you have and your OS.  https://gitlab.torproject.org/tpo/community/support/-/issues/40093  ?https://github.com/artikel10/surgeprotector  ?https://forum.torproject.org/t/is-tor-network-resistant-to-tcp-syn-flood-dos-attacks-from-outside-of-tor/12690/4  --  ?_? Ciao Marco!  Debian GNU/Linux  It's free software and it gives you freedom!_______________________________________________ tor-relays mailing list tor-relays at lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays  
>         
     Depending upon the features of the packet filter(s) available to you on
your operating system, there may be one or more options that can help defend
your relay.  For example, all of the main FOSS *BSD systems today have some
version of the pf packet filter subsystem available as well as others.  One
option available in pf for TCP is synproxy.  This excerpt from the pf.conf(5)
man page in FreeBSD tells how it works.

   -----------------------------------------------------------------------
SYN PROXY

     By default, pf(4) passes packets that are part of a tcp(4) handshake
     between the endpoints.  The synproxy state option can be used to cause
     pf(4) itself to complete the handshake with the active endpoint, perform
     a handshake with the passive endpoint, and then forward packets between
     the endpoints.

     No packets are sent to the passive endpoint before the active endpoint
     has completed the handshake, hence so-called SYN floods with spoofed
     source addresses will not reach the passive endpoint, as the sender can't
     complete the handshake.                                                    

     The proxy is transparent to both endpoints, they each see a single
     connection from/to the other endpoint.  pf(4) chooses random initial
     sequence numbers for both handshakes.  Once the handshakes are completed,
     the sequence number modulators (see previous section) are used to
     translate further packets of the connection.  synproxy state includes
     modulate state.                                                            

     Rules with synproxy will not work if pf(4) operates on a bridge(4).
       
     Example:                                                                   

           pass in proto tcp from any to any port www synproxy state            

   -----------------------------------------------------------------------

     My understanding is that LINUX systems do not have pf, but rather have a
less flexible filter called iptables.  Whether iptables or any other packet
filter that may be available on LINUX systems has synproxy or a similar feature
I do not know, but I'm posting this to make novice *BSD users who run tor
relays aware of it.  IMHO, synproxy or its equivalents in other filters (if
they exist) should always be applied to filter rules for at least the ports
that tor listens on and are exposed to the outside world (e.g., ORPort and
DirPort).
     Of course, although synproxy helps defend a tor relay (or a web server or
data base or whatever), it doesn't stop what arrives at your ISP from outside.


                                  Scott Bennett, Comm. ASMELG, CFIAG
**********************************************************************
* Internet:   bennett at sdf.org   *xor*   bennett at freeshell.org  *
*--------------------------------------------------------------------*
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *
**********************************************************************

More information about the tor-relays mailing list