[tor-relays] OpenBSD DoS Mitigation
Felix
zwiebel at quantentunnel.de
Fri Apr 21 20:35:45 UTC 2023
Hi
> Thanks for the reply. What would be a reasonable per-ip rate limit
> (connections per second) for a Tor middle relay?
On _Freebsd_ the following pf settings apply for running tor in a Jail:
table <blockOR1> persist
MAXSRCCONN = "50"
MAXSRCCONNRATE = "5/5"
nat on $IFEXT inet from $IPTOR1 to any -> $IP1
rdr on $IFEXT inet proto tcp from !<blockOR1> to $IP1 port XXX ->
$IPTOR1 port YYY pass in on $IFEXT inet proto tcp from any to $IPTOR1
port YYY flags S/SA modulate state (max-src-conn
$MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1> flush)
Running Tor on host could be something like:
table <blockOR1> persist
MAXSRCCONN = "50"
MAXSRCCONNRATE = "5/5"
pass in on $IFEXT inet proto tcp from !<blockOR1> to $IPTOR1 port YYY
flags S/SA modulate state (max-src-conn
$MAXSRCCONN,max-src-conn-rate $MAXSRCCONNRATE,overload <blockOR1>
flush)
The MAX* values are very tight because of the latest DOS experiences.
Feel freee to adjust them to your needs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Digitale Signatur von OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230421/1c68b870/attachment.sig>
More information about the tor-relays
mailing list