@cozybeardev Unfortunately things are a lot trickier when it comes to exit relays. Almost all of that traffic is coming from other relays which basically means you’ll have to block a lot of relays using iptables.
@ everyone else
For me, my iptables scripts are somehow working because my relays are not exit relays. All my relays have been running for the past 11 days without a crash. However this doesn’t mean the outbound traffic now equals the inbound traffic. The outbound speed is almost constantly about 7-10 mbs higher than the inbound. By the way, I personally never clear the block list. I let them clear by themselves.
Only one of my relays lost its HSDir flag and recovered after 4 days. I’m assuming the HSDir flag goes away if your relay is somehow considered unstable.
I’m certain this problem is caused by a vulnerability in Tor and can only be truly mitigated by patching it at the application layer. Tor is being asked to do something and it happily keeps crunching the numbers to no end and for attackers to succeed they don’t even need to establish multiple connections.
To test this, I limited each IP address to only one connection regardless of their status ( Dual-Or, Multi-Or, Authorities or even snowflake). In other word I removed all the allow lists and ran Tor with a single iptables rule:
I made the modification while Tor was running and starting from where the arrow is in the chart. As you can see from the chart below, I saw no significant change:
For my Guard node I’m restricting RelayBandwidthRate 2 MBytes when I notice attack spike.
After attack stops (usually in ~6 hours), I’m removing this restriction.