Have you tried Artikel10 surgeprotector? GitHub - artikel10/surgeprotector: Block Tor Exit traffic to flooded IP addresses via ExitPolicy.
And/Or @Enkidu-6 and @toralf anti-ddos scripts? GitHub - Enkidu-6/tor-ddos: iptables rules for Tor relay operators to mitigate ddos
@cozybeardev Unfortunately things are a lot trickier when it comes to exit relays. Almost all of that traffic is coming from other relays which basically means you’ll have to block a lot of relays using iptables.
@ everyone else
For me, my iptables scripts are somehow working because my relays are not exit relays. All my relays have been running for the past 11 days without a crash. However this doesn’t mean the outbound traffic now equals the inbound traffic. The outbound speed is almost constantly about 7-10 mbs higher than the inbound. By the way, I personally never clear the block list. I let them clear by themselves.
Only one of my relays lost its HSDir flag and recovered after 4 days. I’m assuming the HSDir flag goes away if your relay is somehow considered unstable.
I’m certain this problem is caused by a vulnerability in Tor and can only be truly mitigated by patching it at the application layer. Tor is being asked to do something and it happily keeps crunching the numbers to no end and for attackers to succeed they don’t even need to establish multiple connections.
To test this, I limited each IP address to only one connection regardless of their status ( Dual-Or, Multi-Or, Authorities or even snowflake). In other word I removed all the allow lists and ran Tor with a single iptables rule:
iptables -I INPUT -p tcp --destination my-ip-address --destination-port my-or-port -m connlimit --connlimit-mask 32 --connlimit-above 1 -j REJECT --reject-with tcp-reset
I made the modification while Tor was running and starting from where the arrow is in the chart. As you can see from the chart below, I saw no significant change:
In fact by allowing only one connection for multi-OR relays, Tor built new circuits with other relays and the inbound traffic increased.
And as you can see below all cores are engaged at about 14-40% , processing whatever Tor is crunching.
I’m running Tor with NumCPUs 30 if you’re wondering, which does help a lot.
For my Guard node I’m restricting RelayBandwidthRate 2 MBytes when I notice attack spike.
After attack stops (usually in ~6 hours), I’m removing this restriction.
