[tor-relays] DDOS mitigation with nftables

tor-relays+tor-relays at queer.cat tor-relays+tor-relays at queer.cat
Wed Oct 23 02:49:37 UTC 2024



On 22/10/24 14:24, Top wrote:
> Hi all,
> 
> 
> My tor relays[1] traffic decreased a lot and I think this *might* be 
> connected to some kind of DDOS attack.
> So I wanted to use this situation to set up some DDOS protection.
> For that I stumbled upon Enkidus tor DDOS mitigation script. [2]

I believe that the mitigations found in the community-maintained 
anti-DDoS scripts, such as limiting the number of open connections from 
a single IP, are now integrated into tor itself.

> However, this script is made for `iptables`, not `nftables`.
> I use `firewalld` with `nftables` on my system, since this seems to be 
> the new default. [3]
> I don't really know that much about firewalls, so this situation 
> overwhelms me a bit.
> In the README of Enkidus rules it says:
> 
>  > Practically all linux systems come with iptables or more recently 
> with  nftables which basically does the same and more. So you won't need 
> to install iptables. Just type iptables -V . If you see a version, you 
> have it. The same with ipset . An ipset -v will do the job. In some rare 
> cases you may not have ipset installed and installing it is as simple as 
> apt-get ipset or yum install ipset or...

You may want to consider installing the iptables-nft package, which 
offers a compatibility layer for iptables on Fedora/CentOS.

> 
> This seems to imply that the script should work fine with `nftables` as 
> well.
> This is also what Enkidu seems to state in a relevant gitlab issue: [4]
> 
>  > nftables interprets all the iptables rules just fine so the provided 
> scripts will work regardless of which one you have.
> 
> But it's not true!
> The script failed on my server, complaining that the `iptables` command 
> couldn't be found (and no rules had been applied).
> 
> So how can I apply proper DDOS protection firewall rules whilst using 
> `nftables`?
> Is there some easy way to modify the script to make it work?
> 
> 
> Kind regards
> Top
> 
> 
> [1]: https://metrics.torproject.org/rs.html#search/toptor
> [2]: https://github.com/Enkidu-6/tor-ddos
> [3]: https://wiki.debian.org/nftables
> [4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays



More information about the tor-relays mailing list