[tor-relays] Impact on running a tor relay on other internet services?
Thoughts
thoughts at kevinsthoughts.com
Thu Jul 28 00:29:40 UTC 2022
Perhaps a related data point: per nyx I'm currently seeing about 20K
incoming connections but only 3.3K outbound. Shouldn't those be about
the same given I'm running a non-exit middle node?
On 7/27/2022 3:12 PM, Thoughts wrote:
> Hi all - I've been running a TOR non-exit relay for several months
> now. Its rare, but I'm seeing what I believe is the occasional
> connection attack, with my relay complaining about the number of
> connections and suggesting I reduce capacity. Those are rare, and
> most of the time my server is running at about 20% CPU. During
> attacks, which seem unrelated to my Tor Upload/Download rate, CPU
> jumps to well over 100% (quad core, so 400% is max).
>
> I'd normally just ignore this, but it seems to be impacting other
> aspects of my network experience: Messenger Rooms will unexpected
> close, NetFlix gets "unable to stream this title", family complains
> about slow and dropped connections, etc. Just had it happen a few
> minutes ago with a Messenger Room and sure enough, CPU is at 130%,
> even though I'm only pumping about 15MB/Sec (37.5MB/S limit, 56.2
> burst, 40.3 observered) over my gigabit ISP connection. Speedtest
> shows the performing within acceptable parameters.
>
> So contemplating what I can do, since this is bothersome. I've come
> up with a few alternatives, and curious about your thoughts:
>
> 1) Do some type of connection limiting at my PFSense Plus firewall.
> Perhaps limiting things to, say, 30 connections per IP address? Not
> even sure that is possible, but figure it might lighten the load on
> the TOR server.
>
> 2) Drop being a TOR non-exit relay and convert to a bridge. Not sure
> how long, if ever, it would take for my IP address, which is now
> public, to fade off of block lists... Not ideal, but at least as a
> bridge I'd still be servicing the environment.
>
> 3) Try connection limiting via iptables on the TOR host. Just seems
> like doing that at the firewall would be better.
>
> Thoughts?
>
> Kevin
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list