[Tor-BSD] new tor -alpha release and DOS attacks

George Rosamond george at ceetonetechnology.com
Fri Dec 22 11:27:00 EST 2017

>> On 22 Dec 2017, at 08:14, George Rosamond <george at ceetonetechnology.com> wrote:
>> For anyone who's running any directory services, there has been heavy
>> memory-consuming attacks going on since last week.
> These attacks potentially affect all Tor relays.

Yes.  I just notice that it only hit my FreeBSD one, but not the OpenBSD
ones. The OpenBSD ones are using the default pf.conf.

>> We should discuss mitigation on the operating system level with
>> host-based firewalling and syctl knobs in a separate thread, but the new
>> tor -alpha release is supposed to deal with the issue.
> The new release mitigates the issue by consuming less RAM.
> We also recommend the following Tor config mitigations:
> * set MaxMemInQueues to the amount of free RAM available per tor
>   instance, minus a few hundred megabytes for other data structures.
> * give Tor as many file descriptors as you have available (again, minus
>   those needed for other purposes).


>> The FreeBSD security/tor-devel was updated zippy quick, and I'm running
>> it now on NYCBUG0.
> Thanks for the prompt response!

I'm not yet sure if my overly hacked pf.conf is causing an issue now,
but I'm wondering about two things that others might have insight about:

1. is there a timeout that can be set for Tor connections, and also for
Directory Connections?

2. is there some formula to scale advertised bandwidth to number of
states that should be allowed?

It is really high-time for assessing pf.conf rulesets and Tor.


More information about the Tor-BSD mailing list