[tor-relays] short conntrack DDoS attack

mailinglistreader at riseup.net mailinglistreader at riseup.net
Wed Aug 9 09:20:00 UTC 2023


On 8/8/23 07:21, Toralf Förster wrote:
> Few days ago the throughput of my Tor relay went down to nearly zero for
> about 3 minutes. It turned out that the reason (maybe) was a change here
> in my iptables rules. Especially I switched these 2 lines:
> 
>    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
>    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 
> and run then few hours later into problems. And switched back ofc.
> An explanation for the dropdown was given in [1]. Given that the
> explanation is right:

I use these rules, with the RELATED,ESTABLISHED rule extended by the "-m 
conntrack ! --ctstate INVALID" filter as recommended in [1] and before 
the INVALID DROP rule. Works like a charm and with no changes to the 
number of connections or traffic.
So the explanation, that INVALID packages are passing through the 
RELATED,ESTABLISHED seems plausible. Sadly I can't answer your following 
question.

> How is the Tor application harmed if an attacker mangles packets so that
> the state of them are INVALID for the conntrack module but they do pass
> the RELATED,ESTABLISHED rule ?
> 
> 
> [1] https://forums.gentoo.org/viewtopic-p-8798034.html
> -- 
> Toralf
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays


More information about the tor-relays mailing list