[tor-relays] Use OutboundBindAddress on multi-instance tor servers
Anders Trier Olesen
anders.trier.olesen at gmail.com
Sun Feb 12 10:44:36 UTC 2023
Hi nusenu
I'm considering not setting OutboundBindAddress on the dotsrc exit relays (
https://metrics.torproject.org/rs.html#search/dotsrc). Wouldn't it be
better if all outgoing connections came from the same IP (i.e do not set
OutboundBindAddress), for the sake of making correlation analysis harder?
Say you observe an exit connection to example.com:443. If all the dotsrc
relays used 185.129.61.1 as src IP, you couldn't tell which of our relays
made the connection.
On a related note, wrt ongoing ddos, here's something that might be useful
to exit relay operators:
What we observed, was tens of thousands open exit connections to a few IP
(at one point our server had more than 500.000 open connections to those
hosts!). To check if you see the same, here's a one liner to show you the
endpoints with the largest number of connections from your server:
# ss -tn | tr -s ' ' | cut -d' ' -f 5 | sort | uniq -c | sort -nr | head
One way to solve this, is to do some firewall foo, but I really don't like
connection tracking (unnecessary CPU cycles). An alternative solution that
works great for us, is to lower the net.ipv4.ip_local_port_range from the
default of about 30.000 ports. E.g:
# sysctl -w net.ipv4.ip_local_port_range="64000 65535"
This limits the number of connections you can have to a specific dst tuple
(IP, Port) to 1.535 connections (and thanks to Tor now setting
IP_BIND_ADDRESS_NO_PORT, reaching this limit won't affect any other
connections as the same port can be used as src for many different dst IPs).
- Anders
On Sat, Feb 11, 2023 at 12:12 PM nusenu <nusenu-lists at riseup.net> wrote:
> >> multi-instance tor relay
> > Can you please describe what that is?
>
> The subject uses the more correct term 'multi-instance tor server'.
>
> A single OS running more than one tor relay instance.
>
> In the context of this email, more specifically running more than 2 tor
> relays.
>
> kind regards,
> nusenu
>
> --
> https://nusenu.github.io
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20230212/f1a680a5/attachment.htm>
More information about the tor-relays
mailing list