Re: [tor-relays] DDOS alerts from my provider

Mailing Lists tor-relays
1

I haven't read it yet, but there's a short paper at FOCI this year
analyzing a case study of a DDoS attack on relays operated by the
authors.

"A case study on DDoS attacks against Tor relays"
Tobias Höller, René Mairhofer
https://www.petsymposium.org/foci/2024/foci-2024-0014.php

···

On Mon, Jul 08, 2024 at 07:34:51PM +0200, Rafo (r4fo.com) via tor-relays wrote:

I have been running a relay for a few months now without any problems. But this
week I’ve received 2 DDoS alerts from my provider (Netcup), both are ~3
gigabits. They seem to be coming from other Tor relays.
I’m running an Invidious like instance on my server (which uses around 600
megabits) but I have a 2.5 gigabit port. So I configured my Tor relay to use
300-400 megabits.
I’m not sure where that 3 gigabit of data comes from.
I have lowered my advertised bandwidth to 100 megabits, would that be enough to
prevent these kind of issues?

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

2 Likes
2

> FOCI Proceedings — A case study on DDoS attacks against Tor relays

Very interesting, thanks.

After reading that paper I do wonder if a firewall rule would work which
drops network packets with destination to the ORport if those packets
are shorter than a given length?

The idea is not bad. But can you simply discard every ≤ 50byte packet?

I drop fragments and uncommon TCP MSS values.
ip frag-off & 0x1fff != 0 counter drop
tcp flags syn tcp option maxseg size 1-536 counter drop

By the way, I actually wanted to write it as a Github issue.
You have to adjust your Dir-auth IP's in iptables.
IP of dizum has changed and faravahar is back :wink:

···

On Mittwoch, 10. Juli 2024 18:34:26 CEST Toralf Förster via tor-relays wrote:

--
╰_╯ Ciao Marco!

Debian GNU/Linux

It's free software and it gives you freedom!