[tor-relays] Tor DDoS Mitigation iptables scripts update. Version 4.0.1

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

On 12/1/2022 11:57 AM, Anders Trier Olesen wrote:

Hi Chris

We run all the 12 dotsrc relays on a single host with many IP
addresses. Would we need to change anything?

Btw, you can make the scripts find the all the OR ports by running
something like ‘ss -pl | grep tor’.

- Anders

tor. 1. dec. 2022 kl. 09.02 skrev Chris <tor@wcbsecurity.com
<mailto:tor@wcbsecurity.com>>:

    Background:

    A set of bash scripts used to apply iptables rules to fight the
    current
    DDoS attacks. They require no dependencies to install except
    iptable/nftables which all Linux flavors already have and require no
    particular expertise. The issue was discussed here:

    [issue
    40093](Provide a recommended set of iptables/nftables rules to help in case of DoS attacks (#40093) · Issues · The Tor Project / Community / Support · GitLab)

    Change log:

    Some modifications due to a change in the nature of the attacks.

    - Re ordered rules for more efficiency and reducing the load
    - Removed the hashlimit rule as it puts more load on the system
    with not
    much overall benefit as the attackers have adapted to it and it
    reduces
    the size of the block list.
    - Reduce the number of allowed concurrent connections to 2 if
    you're not
    a relay.
    - Use of remove.sh cron script at regular intervals (optional)
    will give
    relays a chance to create up to 4 connections if they need to.
    ******- Created a new cron file **refresh-authorities.sh** to refresh
    your allow-list with the most up to date IP addresses for the
    authorities and snowflake. Should be run daily.
    - Removed an unnecessary line in the update files.
    - Modified Readme.MD file to reflect new changes.

    The new modifications have been tested for two weeks now and the
    systems
    are running smoothly with no ill effect.

    You can read more and download here:

    [Enkidu-6 tor-ddos on Github](GitHub - Enkidu-6/tor-ddos: iptables rules for Tor relay operators to mitigate ddos)

    To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is
    recommended.

    P.S.
    The NumCPUs option is unfortunately poorly documented. It really has
    nothing to do with the number of CPUs you have. It's about the
    number of
    worker threads Tor will create to deal with decryption of
    onionskins. So
    you can have two CPUs and still set NumCPUs to 16.

    _______________________________________________
    tor-relays mailing list
    tor-relays@lists.torproject.org
    <mailto:tor-relays@lists.torproject.org>
    tor-relays Info Page

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

On Thu, Dec 1, 2022 at 6:42 PM Chris <tor@wcbsecurity.com> wrote:

Hi Andres,

Not at all. That’s how I’m running my own relays. Just run the
combined.sh on each individual VM and you’ll be fine.

As for the ORPort, yes, I agree. There are ways to read the torrc file
and set the ORPort automatically. I will incorporate that into the
scripts in future versions. My original intention was to put something
simple together with minimum complexity that anyone with little or no
expertise can understand and modify if necessary without breaking the code.

I’ve also set up a Discussion
Board for the
repository on github in case you have any questions, suggestions or
simply need further help.

On 12/1/2022 11:57 AM, Anders Trier Olesen wrote:

Hi Chris

We run all the 12 dotsrc relays on a single host with many IP
addresses. Would we need to change anything?

Btw, you can make the scripts find the all the OR ports by running
something like ‘ss -pl | grep tor’.

• Anders

tor. 1. dec. 2022 kl. 09.02 skrev Chris <tor@wcbsecurity.com
mailto:[tor@wcbsecurity.com](mailto:tor@wcbsecurity.com)>:

Background:

A set of bash scripts used to apply iptables rules to fight the
current
DDoS attacks. They require no dependencies to install except
iptable/nftables which all Linux flavors already have and require no
particular expertise. The issue was discussed here:

issue
40093

Change log:

Some modifications due to a change in the nature of the attacks.

• Re ordered rules for more efficiency and reducing the load
• Removed the hashlimit rule as it puts more load on the system
  with not
  much overall benefit as the attackers have adapted to it and it
  reduces
  the size of the block list.
• Reduce the number of allowed concurrent connections to 2 if
  you’re not
  a relay.
• Use of remove.sh cron script at regular intervals (optional)
  will give
  relays a chance to create up to 4 connections if they need to.
  ******- Created a new cron file refresh-authorities.sh to refresh
  your allow-list with the most up to date IP addresses for the
  authorities and snowflake. Should be run daily.
• Removed an unnecessary line in the update files.
• Modified Readme.MD file to reflect new changes.

The new modifications have been tested for two weeks now and the
systems
are running smoothly with no ill effect.

You can read more and download here:

Enkidu-6 tor-ddos on Github

To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is
recommended.

P.S.
The NumCPUs option is unfortunately poorly documented. It really has
nothing to do with the number of CPUs you have. It’s about the
number of
worker threads Tor will create to deal with decryption of
onionskins. So
you can have two CPUs and still set NumCPUs to 16.

---

tor-relays mailing list
tor-relays@lists.torproject.org
mailto:[tor-relays@lists.torproject.org](mailto:tor-relays@lists.torproject.org)
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

On 12/3/2022 6:29 AM, Anders Trier Olesen wrote:

Hi Chris

> Not at all. That's how I'm running my own relays. Just run the
> **combined.sh** on each individual VM and you'll be fine.

We do not run VMs. We run 12 Tor instances on a single host, and use
ORPort + OutboundBindAddress to separate them. I.e:
root@tor-exit:/etc/tor/instances# grep 'OutboundBindAddress\|ORPort'
*/torrc
dotsrcExit1/torrc:ORPort 185.129.61.1:443 <http://185.129.61.1:443>
dotsrcExit1/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:1]:443
dotsrcExit1/torrc:OutboundBindAddress 185.129.61.1
dotsrcExit1/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:1]
dotsrcExit10/torrc:ORPort 185.129.61.10:443 <http://185.129.61.10:443>
dotsrcExit10/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:10]:443
dotsrcExit10/torrc:OutboundBindAddress 185.129.61.10
dotsrcExit10/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:10]
dotsrcExit2/torrc:ORPort 185.129.61.2:443 <http://185.129.61.2:443>
dotsrcExit2/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:2]:443
dotsrcExit2/torrc:OutboundBindAddress 185.129.61.2
dotsrcExit2/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:2]
dotsrcExit3/torrc:ORPort 185.129.61.3:443 <http://185.129.61.3:443>
dotsrcExit3/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:3]:443
dotsrcExit3/torrc:OutboundBindAddress 185.129.61.3
dotsrcExit3/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:3]
dotsrcExit4/torrc:ORPort 185.129.61.4:443 <http://185.129.61.4:443>
dotsrcExit4/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:4]:443
dotsrcExit4/torrc:OutboundBindAddress 185.129.61.4
dotsrcExit4/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:4]
dotsrcExit5/torrc:ORPort 185.129.61.5:443 <http://185.129.61.5:443>
dotsrcExit5/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:5]:443
dotsrcExit5/torrc:OutboundBindAddress 185.129.61.5
dotsrcExit5/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:5]
dotsrcExit6/torrc:ORPort 185.129.61.6:443 <http://185.129.61.6:443>
dotsrcExit6/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:6]:443
dotsrcExit6/torrc:OutboundBindAddress 185.129.61.6
dotsrcExit6/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:6]
dotsrcExit7/torrc:ORPort 185.129.61.7:443 <http://185.129.61.7:443>
dotsrcExit7/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:7]:443
dotsrcExit7/torrc:OutboundBindAddress 185.129.61.7
dotsrcExit7/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:7]
dotsrcExit8/torrc:ORPort 185.129.61.8:443 <http://185.129.61.8:443>
dotsrcExit8/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:8]:443
dotsrcExit8/torrc:OutboundBindAddress 185.129.61.8
dotsrcExit8/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:8]
dotsrcExit9/torrc:ORPort 185.129.61.9:443 <http://185.129.61.9:443>
dotsrcExit9/torrc:ORPort [2001:67c:89c:702:1ce:1ce:babe:9]:443
dotsrcExit9/torrc:OutboundBindAddress 185.129.61.9
dotsrcExit9/torrc:OutboundBindAddress [2001:67c:89c:702:1ce:1ce:babe:9]
dotsrcRelay1/torrc:ORPort 130.225.244.90:443 <http://130.225.244.90:443>
dotsrcRelay1/torrc:ORPort [2001:878:346:1cf9:446a:c4eb:4548:7061]:443
dotsrcRelay1/torrc:OutboundBindAddress 130.225.244.90
dotsrcRelay1/torrc:OutboundBindAddress
[2001:878:346:1cf9:446a:c4eb:4548:7061]
dotsrcRelay2/torrc:ORPort 130.225.244.90:9001 <http://130.225.244.90:9001>
dotsrcRelay2/torrc:ORPort [2001:878:346:1cf9:446a:c4eb:4548:7062]:9001
dotsrcRelay2/torrc:OutboundBindAddress 130.225.244.90
dotsrcRelay2/torrc:OutboundBindAddress
[2001:878:346:1cf9:446a:c4eb:4548:7062]

root@tor-exit:~# ip -br a
lo UNKNOWN 127.0.0.1/8 <http://127.0.0.1/8&gt; ::1/128
eth0@if11 UP 130.225.244.90/30
<http://130.225.244.90/30&gt; 130.225.254.114/27
<http://130.225.254.114/27&gt; 185.129.61.1/24 <http://185.129.61.1/24&gt;
185.129.61.2/24 <http://185.129.61.2/24&gt; 185.129.61.3/24
<http://185.129.61.3/24&gt; 185.129.61.4/24 <http://185.129.61.4/24&gt;
185.129.61.5/24 <http://185.129.61.5/24&gt; 185.129.61.6/24
<http://185.129.61.6/24&gt; 185.129.61.7/24 <http://185.129.61.7/24&gt;
185.129.61.8/24 <http://185.129.61.8/24&gt; 185.129.61.9/24
<http://185.129.61.9/24&gt; 185.129.61.10/24 <http://185.129.61.10/24&gt;
2001:67c:89c:702:1ce:1ce:babe:10/48 2001:67c:89c:702:1ce:1ce:babe:9/48
2001:67c:89c:702:1ce:1ce:babe:8/48 2001:67c:89c:702:1ce:1ce:babe:7/48
2001:67c:89c:702:1ce:1ce:babe:6/48 2001:67c:89c:702:1ce:1ce:babe:5/48
2001:67c:89c:702:1ce:1ce:babe:4/48 2001:67c:89c:702:1ce:1ce:babe:3/48
2001:67c:89c:702:1ce:1ce:babe:2/48 2001:67c:89c:702:1ce:1ce:babe:1/48
2001:878:346::114/48 2001:878:346:1cf9:446a:c4eb:4548:7062/48
2001:878:346:1cf9:446a:c4eb:4548:7061/48 fe80::216:3eff:fed5:6809/64

root@tor-exit:~# ss -s
Total: 139982
TCP: 148318 (estab 128481, closed 8757, orphaned 527, timewait 8744)

Transport Total IP IPv6
RAW 1 0 1
UDP 247 193 54
TCP 139561 125849 13712
INET 139809 126042 13767
FRAG 0 0 0

It would be really nice if you could update the scripts to support
this kind of setup! And maybe also consider using plain nftables
instead of relying on the legacy iptables compatibility layer

Best regards
Anders

On Thu, Dec 1, 2022 at 6:42 PM Chris <tor@wcbsecurity.com > <mailto:tor@wcbsecurity.com>> wrote:

    Hi Andres,

    Not at all. That's how I'm running my own relays. Just run the
    **combined.sh** on each individual VM and you'll be fine.

    As for the ORPort, yes, I agree. There are ways to read the torrc file
    and set the ORPort automatically. I will incorporate that into the
    scripts in future versions. My original intention was to put something
    simple together with minimum complexity that anyone with little or no
    expertise can understand and modify if necessary without breaking
    the code.

    I've also set up a [Discussion
    Board](Discussions · Enkidu-6/tor-ddos · GitHub) for the
    repository on github in case you have any questions, suggestions or
    simply need further help.

    On 12/1/2022 11:57 AM, Anders Trier Olesen wrote:
    > Hi Chris
    >
    > We run all the 12 dotsrc relays on a single host with many IP
    > addresses. Would we need to change anything?
    >
    > Btw, you can make the scripts find the all the OR ports by running
    > something like ‘ss -pl | grep tor’.
    >
    > - Anders
    >
    > tor. 1. dec. 2022 kl. 09.02 skrev Chris <tor@wcbsecurity.com
    <mailto:tor@wcbsecurity.com>
    > <mailto:tor@wcbsecurity.com>>:
    >
    > Background:
    >
    > A set of bash scripts used to apply iptables rules to fight the
    > current
    > DDoS attacks. They require no dependencies to install except
    > iptable/nftables which all Linux flavors already have and
    require no
    > particular expertise. The issue was discussed here:
    >
    > [issue
    >
     40093](Provide a recommended set of iptables/nftables rules to help in case of DoS attacks (#40093) · Issues · The Tor Project / Community / Support · GitLab)
    >
    > Change log:
    >
    > Some modifications due to a change in the nature of the attacks.
    >
    > - Re ordered rules for more efficiency and reducing the load
    > - Removed the hashlimit rule as it puts more load on the system
    > with not
    > much overall benefit as the attackers have adapted to it and it
    > reduces
    > the size of the block list.
    > - Reduce the number of allowed concurrent connections to 2 if
    > you're not
    > a relay.
    > - Use of remove.sh cron script at regular intervals (optional)
    > will give
    > relays a chance to create up to 4 connections if they need to.
    > ******- Created a new cron file **refresh-authorities.sh**
    to refresh
    > your allow-list with the most up to date IP addresses for the
    > authorities and snowflake. Should be run daily.
    > - Removed an unnecessary line in the update files.
    > - Modified Readme.MD file to reflect new changes.
    >
    > The new modifications have been tested for two weeks now and the
    > systems
    > are running smoothly with no ill effect.
    >
    > You can read more and download here:
    >
    > [Enkidu-6 tor-ddos on
    Github](GitHub - Enkidu-6/tor-ddos: iptables rules for Tor relay operators to mitigate ddos)
    >
    > To avoid occasional NTor drops a minimum NumCPUs 16 in torrc is
    > recommended.
    >
    > P.S.
    > The NumCPUs option is unfortunately poorly documented. It
    really has
    > nothing to do with the number of CPUs you have. It's about the
    > number of
    > worker threads Tor will create to deal with decryption of
    > onionskins. So
    > you can have two CPUs and still set NumCPUs to 16.
    >
    >
    > _______________________________________________
    > tor-relays mailing list
    > tor-relays@lists.torproject.org
    <mailto:tor-relays@lists.torproject.org>
    > <mailto:tor-relays@lists.torproject.org
    <mailto:tor-relays@lists.torproject.org>>
    > tor-relays Info Page
    >

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays