[tor-onions] Protect against ddos in tor

coderman coderman at gmail.com
Tue Feb 9 07:12:06 UTC 2016


On 2/9/16, coderman <coderman at gmail.com> wrote:
> ...
> manage sessions and lifetimes carefully; don't use apache; tune
> limits.conf and sysctl; disable conntrack in kernel network filters
> (if applicable); ...


one other benefit: put a proxy in front of onion service if request
based like HTTP/HTTPS/WebDAV. this lets Tor hs config hit nginx (for
example) to relay request to actual service back-end, which responds,
and can release a socket for close or re-use (pipeline) with Nginx to
ensure client response in turn delivered to onion peer at far end.

in addition, keep-alive is useful for DDoS mitigation and performance
- always enable HTTP pipelined request support if possible. With a
rate limit on accept by origin (by AS instead of IP or CIDR?)
legitimate clients can usually connect as expected, and remain
connected, while the transient burst of flood sybils from botherders
and pwnhops gets almost entirely denied. a few connections make it
through established, but the typical operation of automation implies
it will get restarted / reconfiged as reason for RST is investigated,
thus closing those few connections that did make it, and in turn, once
a response is received, not uncommon for code to close socket, rather
than re-use.


perhaps more ideas if you encounter specific attacks... good luck! :)


best regards,


More information about the tor-onions mailing list