[tor-relays] OpenBSD DoS Mitigation

tor-relays · April 15, 2023, 3:54am

Hi all,

I'm running a Tor middle/guard relay on OpenBSD. I'm wondering if there are any steps I should take to guard my relay from DoS attacks.

My thanks

···

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

George · April 16, 2023, 7:22pm

You should start with pf.conf(5) and look at
max-src and source-track settings.

g

···

On 4/14/23 23:54, null via tor-relays wrote:

Hi all,

I'm running a Tor middle/guard relay on OpenBSD. I'm wondering if there are any steps I should take to guard my relay from DoS attacks.

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

tor-relays · April 18, 2023, 1:41am

Thanks for the reply. What would be a reasonable per-ip rate limit (connections per second) for a Tor middle relay?

Thanks

···

On April 16, 2023 7:22:03 p.m. UTC, George <george@queair.net> wrote:

On 4/14/23 23:54, null via tor-relays wrote:

Hi all,

I'm running a Tor middle/guard relay on OpenBSD. I'm wondering if there are any steps I should take to guard my relay from DoS attacks.

You should start with pf.conf(5) and look at
max-src and source-track settings.

g
_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Felix · April 21, 2023, 8:35pm

Hi

Thanks for the reply. What would be a reasonable per-ip rate limit
(connections per second) for a Tor middle relay?

On _Freebsd_ the following pf settings apply for running tor in a Jail:
  table <blockOR1> persist
  MAXSRCCONN = "50"
  MAXSRCCONNRATE = "5/5"
  nat on $IFEXT inet from $IPTOR1 to any -> $IP1
  rdr on $IFEXT inet proto tcp from !<blockOR1> to $IP1 port XXX ->
$IPTOR1 port YYY pass in on $IFEXT inet proto tcp from any to $IPTOR1
port YYY flags S/SA modulate state (max-src-conn
$MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1> flush)

Running Tor on host could be something like:
  table <blockOR1> persist
  MAXSRCCONN = "50"
  MAXSRCCONNRATE = "5/5"
  pass in on $IFEXT inet proto tcp from !<blockOR1> to $IPTOR1 port YYY
  flags S/SA modulate state (max-src-conn
  $MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1>
  flush)

The MAX* values are very tight because of the latest DOS experiences.
Feel freee to adjust them to your needs.