[tor-relays] Tor DDoS Mitigation iptables scripts update. Version 4.0.1

Chris tor at wcbsecurity.com
Wed Nov 30 18:06:51 UTC 2022


Background:

A set of bash scripts used to apply iptables rules to fight the current
DDoS attacks. They require no dependencies to install except
iptable/nftables which all Linux flavors already have and require no
particular expertise. The issue was discussed here:

[issue
40093](https://gitlab.torproject.org/tpo/community/support/-/issues/40093)

Change log:

Some modifications due to a change in the nature of the attacks.

- Re ordered rules for more efficiency and reducing the load
- Removed the hashlimit rule as it puts more load on the system with not
much overall benefit as the attackers have adapted to it and it reduces
the size of the block list.
- Reduce the number of allowed concurrent connections to 2 if you're not
a relay.
- Use of remove.sh cron script at regular intervals (optional) will give
relays a chance to create up to 4 connections if they need to.
******- Created a new cron file **refresh-authorities.sh** to refresh
your allow-list with the most up to date IP addresses for the
authorities and snowflake. Should be run daily.
- Removed an unnecessary line in the update files.
- Modified Readme.MD file to reflect new changes.

The new modifications have been tested for two weeks now and the systems
are running smoothly with no ill effect.

You can read more and download here:

[Enkidu-6 tor-ddos on Github](https://github.com/Enkidu-6/tor-ddos)

To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is recommended.

P.S.
The NumCPUs option is unfortunately poorly documented. It really has
nothing to do with the number of CPUs you have. It's about the number of
worker threads Tor will create to deal with decryption of onionskins. So
you can have two CPUs and still set NumCPUs to 16.




More information about the tor-relays mailing list