[Tor-BSD] new tor -alpha release and DOS attacks
teor
teor2345 at gmail.com
Fri Dec 22 18:03:17 EST 2017
> On 23 Dec 2017, at 03:27, George Rosamond <george at ceetonetechnology.com> wrote:
>
> teor:
>>
>>> On 22 Dec 2017, at 08:14, George Rosamond <george at ceetonetechnology.com> wrote:
>>>
>>> For anyone who's running any directory services, there has been heavy
>>> memory-consuming attacks going on since last week.
>>
>> These attacks potentially affect all Tor relays.
>>
>
> Yes. I just notice that it only hit my FreeBSD one, but not the OpenBSD
> ones. The OpenBSD ones are using the default pf.conf.
>
>>> We should discuss mitigation on the operating system level with
>>> host-based firewalling and syctl knobs in a separate thread, but the new
>>> tor -alpha release is supposed to deal with the issue.
>>
>> The new release mitigates the issue by consuming less RAM.
>>
>> We also recommend the following Tor config mitigations:
>> * set MaxMemInQueues to the amount of free RAM available per tor
>> instance, minus a few hundred megabytes for other data structures.
>> * give Tor as many file descriptors as you have available (again, minus
>> those needed for other purposes).
>
> Yes.
>
>> ...
>
> I'm not yet sure if my overly hacked pf.conf is causing an issue now,
> but I'm wondering about two things that others might have insight about:
>
> 1. is there a timeout that can be set for Tor connections,
MaxOnionQueueDelay could keep your queues shorter.
But you probably want MaxMemInQueues for this.
> and also for
> Directory Connections?
I'm not sure, I don't think so.
And newer clients use the ORPort to fetch directory documents.
> 2. is there some formula to scale advertised bandwidth to number of
> states that should be allowed?
I don't understand the question.
Do you want to set MaxAdvertisedBandwidth on the relay?
What are the states for?
> It is really high-time for assessing pf.conf rulesets and Tor.
T
--
Tim Wilson-Brown (teor)
teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20171223/267516fa/attachment.bin>
More information about the Tor-BSD
mailing list