[tor-relays] DDOS mitigation with nftables

Chris Enkidu-6 tor at wcbsecurity.com
Fri Oct 25 08:44:48 UTC 2024 

With Ubuntu, installing ipset automatically installs iptables along with
it. As others mentioned, modern Debian doesn't do that. I've modified
the script to do that as well in the new version (v7.0.5).

As it is, you neither have iptables nor nftables and since you don't
want to install them at all, then there's no point in running the
script. As it's clearly stated in the README file of the repository, my
script uses iptables-nft to accomplish the task of mitigating the
attacks and it's not something you can accomplish using firewalld or
UFW, at least not to that extent. The goal of those firewalls is to
simplify the rules for people who don't want to deal with complexities
of iptables/nftables and in doing so, they do not offer the more complex
features that iptables-nft provides.

Regards,

Enkidu


On 10/23/2024 4:40 AM, Top wrote:
> Hi,
>
> thanks for the replies! I'm gonna answer a few questions.
> Regarding Enkidu:
> - I use Debian
> - `iptables -V` says `-bash: iptables: command not found`
> - `ipset -v` says `ipset v7.17, protocol version: 7`
> - I'm running Debian but the installation of `ipset` did not install
> `iptables`
> - I am running the script with root
> - Besides, I don't *want* to use `iptables` and `nftables` - so I
> don't even want `iptables` to be installed
>
> Regarding boldsuck:
> Thanks for the information!
> I might try to adapt your example to my situation.
> I do not have an exit but two guards.
>
> Regarding Ralph:
> - The logs basically keep repeating that `iptables` could not be
> found. For example:
> ```
> ./rules.sh: line 3: iptables-save: command not found
> ./rules.sh: line 4: ip6tables-save: command not found
> ./rules.sh: line 6: iptables: command not found
> ./rules.sh: line 7: ip6tables: command not found
> ```
> - I don't think my PATH is my problem, since I really don't have (nor
> want) `iptables` installed
> - I can't lock myself out since I can always access the server
> directly without `ssh`. Thanks for the warning though
>
> Regarding tor-relays+tor-relays:
> - Interesting that anti-DDoS is now integrated!
> - The `iptables-nft` package does not exist on my machine since I run
> Debian
>
> Kind regards
> Top
>
> On 23/10/2024 04:49, tor-relays+tor-relays at queer.cat wrote:
>>
>>
>> On 22/10/24 14:24, Top wrote:
>>> Hi all,
>>>
>>>
>>> My tor relays[1] traffic decreased a lot and I think this *might* be
>>> connected to some kind of DDOS attack.
>>> So I wanted to use this situation to set up some DDOS protection.
>>> For that I stumbled upon Enkidus tor DDOS mitigation script. [2]
>>
>> I believe that the mitigations found in the community-maintained
>> anti-DDoS scripts, such as limiting the number of open connections
>> from a single IP, are now integrated into tor itself.
>>
>>> However, this script is made for `iptables`, not `nftables`.
>>> I use `firewalld` with `nftables` on my system, since this seems to
>>> be the new default. [3]
>>> I don't really know that much about firewalls, so this situation
>>> overwhelms me a bit.
>>> In the README of Enkidus rules it says:
>>>
>>>  > Practically all linux systems come with iptables or more recently
>>> with  nftables which basically does the same and more. So you won't
>>> need to install iptables. Just type iptables -V . If you see a
>>> version, you have it. The same with ipset . An ipset -v will do the
>>> job. In some rare cases you may not have ipset installed and
>>> installing it is as simple as apt-get ipset or yum install ipset or...
>>
>> You may want to consider installing the iptables-nft package, which
>> offers a compatibility layer for iptables on Fedora/CentOS.
>>
>>>
>>> This seems to imply that the script should work fine with `nftables`
>>> as well.
>>> This is also what Enkidu seems to state in a relevant gitlab issue: [4]
>>>
>>>  > nftables interprets all the iptables rules just fine so the
>>> provided scripts will work regardless of which one you have.
>>>
>>> But it's not true!
>>> The script failed on my server, complaining that the `iptables`
>>> command couldn't be found (and no rules had been applied).
>>>
>>> So how can I apply proper DDOS protection firewall rules whilst
>>> using `nftables`?
>>> Is there some easy way to modify the script to make it work?
>>>
>>>
>>> Kind regards
>>> Top
>>>
>>>
>>> [1]: https://metrics.torproject.org/rs.html#search/toptor
>>> [2]: https://github.com/Enkidu-6/tor-ddos
>>> [3]: https://wiki.debian.org/nftables
>>> [4]: https://gitlab.torproject.org/tpo/community/support/-/issues/40093
>>> _______________________________________________
>>> tor-relays mailing list
>>> tor-relays at lists.torproject.org
>>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>>
>> _______________________________________________
>> tor-relays mailing list
>> tor-relays at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20241025/8a924dd3/attachment-0001.htm>

More information about the tor-relays mailing list