[tor-relays] Checking dos mitigation

Felix zwiebel at quantentunnel.de
Tue Feb 13 20:27:11 UTC 2018


Hi everybody

I tried several setups for dos mitigation since the dos code is
available and came to the following results, where I think 5) is
promising and 2) or 3) are fine.

1) Drops off consensus for 1-2hours and returns w/o hsdir:
DOS_CC_CIRCUIT_BURST_DEFAULT 90
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 100
FW: 20 connects per /32 ip, rate limited to 3 per sec.

2) Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 50
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
FW: 20 connects per /32 ip, rate limited to 3 per sec.

3) Good (stable):
DOS_CC_CIRCUIT_BURST_DEFAULT 20
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 20
FW: 20 connects per /32 ip, rate limited to 3 per sec.

4) Too conservative:
DOS_CC_CIRCUIT_BURST_DEFAULT 10
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 10
FW: 20 connects per /32 ip, rate limited to 3 per sec.

5) Good (newly):
DOS_CC_CIRCUIT_BURST_DEFAULT 50
DOS_CONN_MAX_CONCURRENT_COUNT_DEFAULT 50
FW: 100 connects per /32 ip, rate limited to 15 per sec.

Some hack to grab dos ips, their counts and defenses shows the well
known ones like a hand full new ones. But no surprises.

-- 
Cheers, Felix


More information about the tor-relays mailing list