[tor-relays] An attempt to block spam ip addresses

Issue 40636 and others deal with DDoS / concurrent connections. Here're
few numbers from my attempt [1] of the last days to block such ip
addresses. The stats are from 2 relays running at the same ip.

Currently there're 700 ip addresses (15 IPv6) caught in the denylist.
Those either opened >4 connections to the same orport and/or produced
>12 new connection attemps within 5 minutes to the orport.

Those system do re-appear quickly if the denylist is flushed.

Within one hour over 500K packets, mainly TCP connection attempts, are
dropped.

Furthermore the number of used sockets at the system is reduced from
>35K to about 21K.

Nevertheless both relays spew the warnings "Your computer is too slow"
and "General overload" from time to time. I do assume that this is a
layer 7 problem and therefore can't be fixed at layer 3.

The filter is build up from iptables. Scripts for IPv4 and IPv6 can be
found under [2] and [3] respectively.

[1] reports that relays not obeying DoSConnectionMaxConcurrentCount (#40636) · Issues · The Tor Project / Core / Tor · GitLab
[2] torutils/ipv4-rules.sh at main · toralf/torutils · GitHub
[3] torutils/ipv6-rules.sh at main · toralf/torutils · GitHub

···

--
Toralf
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays