[Tor-BSD] new tor -alpha release and DOS attacks
George Rosamond
george at ceetonetechnology.com
Fri Dec 22 18:10:00 EST 2017
teor:
>
>> On 23 Dec 2017, at 03:27, George Rosamond <george at ceetonetechnology.com> wrote:
>>
>> teor:
>>>
>>>> On 22 Dec 2017, at 08:14, George Rosamond <george at ceetonetechnology.com> wrote:
>>>>
>>>> For anyone who's running any directory services, there has been heavy
>>>> memory-consuming attacks going on since last week.
>>>
>>> These attacks potentially affect all Tor relays.
>>>
>>
>> Yes. I just notice that it only hit my FreeBSD one, but not the OpenBSD
>> ones. The OpenBSD ones are using the default pf.conf.
>>
>>>> We should discuss mitigation on the operating system level with
>>>> host-based firewalling and syctl knobs in a separate thread, but the new
>>>> tor -alpha release is supposed to deal with the issue.
>>>
>>> The new release mitigates the issue by consuming less RAM.
>>>
>>> We also recommend the following Tor config mitigations:
>>> * set MaxMemInQueues to the amount of free RAM available per tor
>>> instance, minus a few hundred megabytes for other data structures.
>>> * give Tor as many file descriptors as you have available (again, minus
>>> those needed for other purposes).
>>
>> Yes.
>>
>>> ...
>>
>> I'm not yet sure if my overly hacked pf.conf is causing an issue now,
>> but I'm wondering about two things that others might have insight about:
>>
>> 1. is there a timeout that can be set for Tor connections,
>
> MaxOnionQueueDelay could keep your queues shorter.
> But you probably want MaxMemInQueues for this.
I'm thinking specifically with pf using the "set limit" options.
>
>> and also for
>> Directory Connections?
>
> I'm not sure, I don't think so.
> And newer clients use the ORPort to fetch directory documents.
>
>> 2. is there some formula to scale advertised bandwidth to number of
>> states that should be allowed?
>
> I don't understand the question.
>
> Do you want to set MaxAdvertisedBandwidth on the relay?
> What are the states for?
>
How many TCP states allowed for Tor connections, and if there's a rough
equation to calculate how many to allow based on torrc bandwidth settings.
These questions are specifically about creating pf rulesets for Tor.
The torrc input is good and useful, but I'm talking about pf here.
g
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20171222/ef476f2c/attachment.bin>
More information about the Tor-BSD
mailing list