[tor-relays] max TCP interruption before Tor circuit teardown?
Gordon Morehouse
gordon at morehouse.me
Wed Oct 23 05:22:56 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
David Serrano:
> First post to this mailing list. I joined the network 3 days ago
> with a Via Nehemia system, 1 GHz, 256 Mb RAM, RelayBandwidthRate
> 500 KB.
I suspect that'll have the CPU to handle things, but RAM... guess
you'll find out! Unsure.
> On 2013-10-20 09:42:01 (-0700), Gordon Morehouse wrote:
>>
>> First, during a SYN flood type overload, some peers which have
>> *existing* circuits built through the relay and are sending SYNs
>> as normal traffic, will stochastically get "caught" in the filter
>> and banned for a short time. If these hosts already have
>> circuits open through the relay which is overloaded, I would
>> prefer to preserve those circuits rather than break them. My
>> defensive strategy versus overload here is to throttle new
>> circuit creation requests, *not* to break existing circuits.
>>
>> So here's the $64,000 question:
>>
>> If a tor relay has a circuit built through a peer, and the peer
>> starts dropping 100% of packets, how long will it take before the
>> relay with the circuit "gives up" on the circuit and tears it
>> down? I want to set my temp ban time *below* this timeout.
>> Thus, unlucky peers that were caught in the filter and have
>> circuits already built through the relay they will experience a
>> brief performance degradation, but they won't lose their active
>> circuits through the overloaded relay, and in the meantime
>> hopefully the overload condition is becoming resolved.
>
> I can think of two approaches to your problem:
>
> - You can 'iptables -m state --state ESTABLISHED -J ACCEPT' early
> in your ruleset, so all existing circuits will be allowed. I
> understand this is pretty standard practice and I'm somewhat
> surprised that you're not already doing it. Your SYN throttling
> would appear later in the ruleset. You could be aggresive at this
> point since you know that you won't break any circuit.
>
> - Besides this, you can 'iptables -p tcp --syn -J SYN_THROTTLE' and
> populate a new SYN_THROTTLE chain with your desired rules to tell
> peers to calm down. Only SYN packets will enter this chain, the
> established circuits won't match this rule and will traverse the
> rest of the ruleset unaffected.
>
> Since I run a new node and discovering this new world I'm somewhat
> concerned that once I gain the Stable flag I'll be SYN flooded too
> so I'll pay attention to this too.
This is greatly helpful, thanks. The reason I've overlooked some
obvious things is because I'm an iptables noob. :)
If you like, have a look at The Cipollini Project[1], which is
essentially a collection of tidbits aiming to eventually be a set of
packages that can be distributed or otherwise used to turn very
inexpensive and/or low-end boxes into "plug and forget" relays. It'll
soon have its own mailing list.
1. https://github.com/gordon-morehouse/cipollini
Best,
- -Gordon M.
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJSZ10uAAoJED/jpRoe7/uj3o4H/jwcQcYk0Kdiu5QaeucXLPAo
LXQdhK688xkqbadrGbFUTnsJyRGI/hZ8sJbNYZDi0iIT4BTALnRFdLaDdyF40txR
ow4AYMLLmWNno0wTwn5qgPY8v6nC4cbXpHIBWArxDDBcJfYcYIv7YzM738qyKtRk
4m7elOACQgWcP0YRZNs6ZpQxQ53asrCaVO9yCf9LS/RehJW/XlChvMWfqAOkUKYD
fiziX2ZpYd1SrZ8guUNiKfp/8zLojyjO1rknNjRer/51aHub4nADvZm3z9dDMDBJ
6bNEhU01g9ss/TJS9MffRMLRJ2cu2uqb7FNcB6jZmQvQLJDftm5OtV6IsC4PhQY=
=dV1H
-----END PGP SIGNATURE-----
More information about the tor-relays
mailing list