[tor-relays] DDOS mitigation with nftables
tor-relays+tor-relays at queer.cat
tor-relays+tor-relays at queer.cat
Wed Oct 23 02:49:37 UTC 2024
On 22/10/24 14:24, Top wrote:
> Hi all,
>
>
> My tor relays[1] traffic decreased a lot and I think this *might* be
> connected to some kind of DDOS attack.
> So I wanted to use this situation to set up some DDOS protection.
> For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
I believe that the mitigations found in the community-maintained
anti-DDoS scripts, such as limiting the number of open connections from
a single IP, are now integrated into tor itself.
> However, this script is made for `iptables`, not `nftables`.
> I use `firewalld` with `nftables` on my system, since this seems to be
> the new default. [3]
> I don't really know that much about firewalls, so this situation
> overwhelms me a bit.
> In the README of Enkidus rules it says:
>
> > Practically all linux systems come with iptables or more recently
> with nftables which basically does the same and more. So you won't need
> to install iptables. Just type iptables -V . If you see a version, you
> have it. The same with ipset . An ipset -v will do the job. In some rare
> cases you may not have ipset installed and installing it is as simple as
> apt-get ipset or yum install ipset or...
You may want to consider installing the iptables-nft package, which
offers a compatibility layer for iptables on Fedora/CentOS.
>
> This seems to imply that the script should work fine with `nftables` as
> well.
> This is also what Enkidu seems to state in a relevant gitlab issue: [4]
>
> > nftables interprets all the iptables rules just fine so the provided
> scripts will work regardless of which one you have.
>
> But it's not true!
> The script failed on my server, complaining that the `iptables` command
> couldn't be found (and no rules had been applied).
>
> So how can I apply proper DDOS protection firewall rules whilst using
> `nftables`?
> Is there some easy way to modify the script to make it work?
>
>
> Kind regards
> Top
>
>
> [1]: https://metrics.torproject.org/rs.html#search/toptor
> [2]: https://github.com/Enkidu-6/tor-ddos
> [3]: https://wiki.debian.org/nftables
> [4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
More information about the tor-relays
mailing list