Middle node synflood ddos on port 9001


My middle node which has port 9001 exposed is being hammered with a DDOS synflood attack for the last few days. I have been running that node for years without any problems.

I have turned off my node to keep my other machines available on the internet as my firewall eventually collapses. My ISP said to create a whitelist in iptables on the tor node and drop all the other connections to the tor node.

Is there anyway to get a list of valid tor ip addresses? Or is there any other way I can mitigate the attack? Is it necessary to have 9001 exposed? Is is possible to change the port number?



You can get IP addresses for relays from this link:
But: 1. Iā€™m not sure if other addresses needs to be whitelisted. 2. Eventually, old relays go offline, new relays are added, so such list needs to be updated from time to time. However, attack may stop earlier that you will need to do such update.

1 Like

You may use Stem library to acquire a list of relay IP addresses ( https://stem.torproject.org/ ):

from stem.control import Controller

ip_list = []
with Controller.from_port(port = 9051) as ctrl:
  ip_list = [desc.address for desc in ctrl.get_server_descriptors()]
1 Like

Thanks. That a good start.

1 Like

Thank you.

1 Like