[tor-relays] Short heads up (was: Re: Another attempt against Tor DDoS)

Hi friends,

I made some smaller tweaks over the last few hours which should especially help relays on nearly OOM or thrashing situations (making use of Zswap + MGLRU if available).

The rules themselves are just the same, so no changes there.

Merry christmas,
Frank

···

------- Original Message -------
On Sunday, December 4th, 2022 at 11:25 PM, Frank Steinborn <steinex@nognu.de> wrote:

Hi,

I want to show you my anti DDoS solution for my relays (aswell ;-). It works without ipset, but with a mix of the recent and hashlimit iptables modules.

What is does:
* If one IP address tries to make 7 SYN connection attempts per second, they are locked out for 300 seconds. If they try another connection in that timeframe, the timer is reset and they are locked out for another 300 seconds.
* Threre are no more SYNs allowed if 4 connections are already in use to the ORPort.

It works very well for me. Other solutons are far more aggressive but I feel my solution works perfectly against the attacks, even if they are not that aggresive.

On top of that, I feel its more easy to implement into ones existing firewall solution.

You can find the repo here: GitHub - steinex/tor-ddos: Attempt to help against the ongoing Tor DDoS attacks

Feel free to give it a shot and feedback would be much appreciated!

Greetings,
steinex

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

2 Likes

Hi friends,

I made some smaller tweaks over the last few hours which should especially help relays on nearly OOM or thrashing situations (making use of Zswap + MGLRU if available).

The rules themselves are just the same, so no changes there.

I had an exit relay which was constantly DDoSed. Instance CPU usage was 40%.

Had the IP change (for another reason tho) and it didn't go away, the DDoS targeted that particular fingerprint. That server had two relays, one fortunately unaffected.

I ended up just changing the fingerprint for the affected one. Now I have to wait for the ramp-up phase, yay!

Merry christmas,
Frank

Best,

Neel

···

On 2022-12-25 00:27, Frank Steinborn via tor-relays wrote:

------- Original Message -------
On Sunday, December 4th, 2022 at 11:25 PM, Frank Steinborn > <steinex@nognu.de> wrote:

Hi,

I want to show you my anti DDoS solution for my relays (aswell ;-). It works without ipset, but with a mix of the recent and hashlimit iptables modules.

What is does:
* If one IP address tries to make 7 SYN connection attempts per second, they are locked out for 300 seconds. If they try another connection in that timeframe, the timer is reset and they are locked out for another 300 seconds.
* Threre are no more SYNs allowed if 4 connections are already in use to the ORPort.

It works very well for me. Other solutons are far more aggressive but I feel my solution works perfectly against the attacks, even if they are not that aggresive.

On top of that, I feel its more easy to implement into ones existing firewall solution.

You can find the repo here: GitHub - steinex/tor-ddos: Attempt to help against the ongoing Tor DDoS attacks

Feel free to give it a shot and feedback would be much appreciated!

Greetings,
steinex

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

1 Like

Neel Chauhan:

Hi friends,

I made some smaller tweaks over the last few hours which should especially help relays on nearly OOM or thrashing situations (making use of Zswap + MGLRU if available).

The rules themselves are just the same, so no changes there.

I had an exit relay which was constantly DDoSed. Instance CPU usage was 40%.

Had the IP change (for another reason tho) and it didn't go away, the DDoS targeted that particular fingerprint. That server had two relays, one fortunately unaffected.

I ended up just changing the fingerprint for the affected one. Now I have to wait for the ramp-up phase, yay!

Interesting. What was the old fingerprint? Did the affected and unaffected relays were guards and/or exists?

Georg

···

On 2022-12-25 00:27, Frank Steinborn via tor-relays wrote:

Merry christmas,
Frank

Best,

Neel

------- Original Message -------
On Sunday, December 4th, 2022 at 11:25 PM, Frank Steinborn >> <steinex@nognu.de> wrote:

Hi,

I want to show you my anti DDoS solution for my relays (aswell ;-). It works without ipset, but with a mix of the recent and hashlimit iptables modules.

What is does:
* If one IP address tries to make 7 SYN connection attempts per second, they are locked out for 300 seconds. If they try another connection in that timeframe, the timer is reset and they are locked out for another 300 seconds.
* Threre are no more SYNs allowed if 4 connections are already in use to the ORPort.

It works very well for me. Other solutons are far more aggressive but I feel my solution works perfectly against the attacks, even if they are not that aggresive.

On top of that, I feel its more easy to implement into ones existing firewall solution.

You can find the repo here: GitHub - steinex/tor-ddos: Attempt to help against the ongoing Tor DDoS attacks

Feel free to give it a shot and feedback would be much appreciated!

Greetings,
steinex

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
tor-relays Info Page