[tor-relays] An attempt to block spam ip addresses

Issue 40636 and others deal with DDoS / concurrent connections. Here're
few numbers from my attempt [1] of the last days to block such ip
addresses. The stats are from 2 relays running at the same ip.

Currently there're 700 ip addresses (15 IPv6) caught in the denylist.
Those either opened >4 connections to the same orport and/or produced
>12 new connection attemps within 5 minutes to the orport.

Those system do re-appear quickly if the denylist is flushed.

Within one hour over 500K packets, mainly TCP connection attempts, are

Furthermore the number of used sockets at the system is reduced from
>35K to about 21K.

Nevertheless both relays spew the warnings "Your computer is too slow"
and "General overload" from time to time. I do assume that this is a
layer 7 problem and therefore can't be fixed at layer 3.

The filter is build up from iptables. Scripts for IPv4 and IPv6 can be
found under [2] and [3] respectively.

[1] reports that relays not obeying DoSConnectionMaxConcurrentCount (#40636) ยท Issues ยท The Tor Project / Core / Tor ยท GitLab
[2] torutils/ipv4-rules.sh at main ยท toralf/torutils ยท GitHub
[3] torutils/ipv6-rules.sh at main ยท toralf/torutils ยท GitHub


tor-relays mailing list

1 Like