Re: [tor-relays] DDOS alerts from my provider

lists · July 9, 2024, 11:46am

Reducing the advertised bandwidth does not help. In general, one tor
instance will rarely reach 100 megabits.

There is little you can do on the server against targeted DDoS. But you can
stop IPs with a lot of connections to your tor daemon using dynamic exit
police¹ or dyn. IP/nftable rules². For targeted help, you should specify the
type of relay you have and your OS.

¹GitHub - artikel10/surgeprotector: Block Tor Exit traffic to flooded IP addresses via ExitPolicy.

²Is Tor network resistant to TCP SYN flood DoS attacks from outside of Tor? - #4 by ImproveTor

···

On Montag, 8. Juli 2024 19:34:51 CEST Rafo (r4fo.com) via tor-relays wrote:

But this week I’ve received 2 DDoS alerts from my provider
(Netcup), both are ~3 gigabits. They seem to be coming from other Tor
relays.I’m running an Invidious like instance on my server (which uses
around 600 megabits) but I have a 2.5 gigabit port. So I configured my Tor
relay to use 300-400 megabits.I’m not sure where that 3 gigabit of data
comes from.I have lowered my advertised bandwidth to 100 megabits, would
that be enough to prevent these kind of issues?Kind regards,Rafo

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!

lists · July 9, 2024, 9:24pm

Here again the Github's of toralf & Enkidu from the above mentioned forum link. They have iptables:

I just do it with nftables.

github.com

boldsuck/tor-relay-bootstrap/blob/nft/etc/nftables.conf_ddos

#!/usr/sbin/nft -f

flush ruleset

define ports = { 443 }

table netdev filter {
	set ssh_whitelist_v4 {
		type ipv4_addr
		flags interval
		counter
		elements = { 78.34.0.0/15, 81.173.128.0/17,
			     84.44.128.0/17, 85.197.0.0/18,
			     87.78.0.0/15, 89.0.0.0/15,
			     194.8.192.0/19, 195.14.192.0/19,
			     195.14.224.0/19, 212.8.136.0/21,
			     212.8.144.0/21, 212.117.64.0/19,
			     213.168.64.0/19, 213.168.96.0/19,
			     213.196.192.0/18 }
	}

This file has been truncated. show original

Be sure to adjust the SSH IP sets otherwise you will log out!
I have all Dyn-IP subnets from the providers from which I connect via SSH.
You can search for example on: https://bgp.tools/ or https://bgpview.io

Apart from SSH, only Tor is running and I don't have a 'table inet filter'.
If you need them, they are also on my Github.

···

On Dienstag, 9. Juli 2024 14:04:49 CEST Rafo (r4fo.com) via tor-relays wrote:

More specifically, I’m running a middle relay on Debian 12

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!