Filtering out attacks?

Jonathan D. Proulx jon at csail.mit.edu
Mon May 16 15:33:49 UTC 2005



It seems certain types of attacks being proxied through TOR can be
profiled and blocked, for example syn floods.

For inbound attacks on my Linux systems I can setup iptables limit
mechanisms to eliminate most stupid TCP DoS tricks.  I'd though at
first it would be simple to turn this around from INPUT rules to
OUTPUT and thus cut down on complaints for clearly illicit traffic
through my exit node.

As soon as I sat down to write this however I discovered I can't
really just banket limit outbound syn's.  What I want is a per flow
limit. This brings up several problems.

On the policy level I can't really determine a flow as multiple
originators can be coming in from the same middle hop to the same
popular site, so what is a reasonable limit on the number of syn's to
allow per unit time?

On the practical level how do I define a per-flow rule on linux such
that for any unique destination IP only allow  --limit N/s
--limit-burst 5N?

I guess the bigger policy question is does filtering of this sort (and
posibly scan blocking as well) fit with TOR philosophically?

-Jon



More information about the tor-talk mailing list