[tor-relays] Reapply exit policy on reload

George Hartley hartley_george at proton.me
Sat Aug 10 12:38:27 UTC 2024


I am very well aware of that and how it works, I have seen your commit that got merged, and am a C/C++ programmer as well.

Nevertheless, this is a feature I wanted anyway, so I could just reload the config and block IP's or even ranges if SSH range / portscans are done using my exit.

Right now I reject 22 exits fully, but this might change soon thanks to your patch.

Thank you for your contribution :)

George

On Saturday, August 10th, 2024 at 12:48 PM, trinity pointard <trinity.pointard at gmail.com> wrote:

> The DoSCircuitCreation/DoSConnection configs are unrelated to what
> ReevaluateExitPolicy allows.
> DoSCircuitCreation/DoSConnection are enacted by guards, to protect
> themselves, and to some extent the rest of the network, from "noisy
> IPs" trying to connect to Tor.
> ReevaluateExitPolicy is not a DoS option, it doesn't take any action
> automatically. It is only useful on exit nodes, and is roughly the
> equivalent to running the right tcpkill incantation to kill all
> already established connection to ip/ports not allowed a new
> ExitPolicy (but that were allowed when these connections were
> initiated).
> 

> On Sat, 10 Aug 2024 at 01:23, George Hartley via tor-relays
> tor-relays at lists.torproject.org wrote:
> 

> > Then these must be targeted attacks, as I have never encountered something like this during 10 years of relay operation under different providers and aliases.
> > 

> > Sorry, but the Tor logs that I am seeing suggest that most DoS gets mitigated.
> > 

> > As far as I know, the concurrent connection (not circuit!) DoS defense is relatively new, so give the developers some time.
> > 

> > Also, any default IPTables rule-set should automatically either reject or just drop connections above a certain threshold.
> > 

> > All the best,
> > George
> > 

> > On Friday, August 9th, 2024 at 8:59 PM, boldsuck lists at for-privacy.net wrote:
> > 

> > > On Mittwoch, 7. August 2024 14:30:27 CEST George Hartley via tor-relays wrote:
> > 

> > > > This is already impossible, as both circuit and concurrent connection DoS
> > > > both gets detected and the IP in question flagged and blacklisted.
> > 

> > > No.
> > > DoS has been a topic of conversation at nearly all relay meetings for over 2
> > > years. Enkidu and Toralf have developed Tor-ddos IPtables rules for the
> > > community. Article10 specifically for Tor exits and trinity has developed the
> > > patch.
> > 

> > > https://gitlab.torproject.org/tpo/core/tor/-/issues/40676
> > > Roger, Mike, Nick and Perry certainly wouldn't have let Trinity develop the
> > > feature if the current DoS mitigations in Tor had helped.
> > 

> > > > Please see the manual on this:
> > 

> > > > https://2019.www.torproject.org/docs/tor-manual.html.en#DoSCircuitCreationEn
> > > > abled
> > 

> > > This is a client to relay detection only. "auto" means use the consensus
> > > parameter. (Default: auto)
> > > It is defined in the consensus:
> > > https://consensus-health.torproject.org/#consensusparams
> > 

> > > > > Example: 500K connections from IP 1.2.3.4
> > 

> > > These are numbers from reality and not fantasy.
> > > AFAIK, Article10 and relayon already had 1,000,000 connections per IP!
> > 

> > > --
> > > ╰_╯ Ciao Marco!
> > 

> > > Debian GNU/Linux
> > 

> > > It's free software and it gives you freedom!_______________________________________________
> > > tor-relays mailing list
> > > tor-relays at lists.torproject.org
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays_______________________________________________
> > > tor-relays mailing list
> > > tor-relays at lists.torproject.org
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> 

> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - hartley_george at proton.me - 0xAEE8E00F.asc
Type: application/pgp-keys
Size: 657 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240810/f17bb8fc/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20240810/f17bb8fc/attachment.sig>


More information about the tor-relays mailing list