[Tor-BSD] new tor -alpha release and DOS attacks

teor teor2345 at gmail.com
Fri Dec 22 18:03:17 EST 2017

> On 23 Dec 2017, at 03:27, George Rosamond <george at ceetonetechnology.com> wrote:
> teor:
>>> On 22 Dec 2017, at 08:14, George Rosamond <george at ceetonetechnology.com> wrote:
>>> For anyone who's running any directory services, there has been heavy
>>> memory-consuming attacks going on since last week.
>> These attacks potentially affect all Tor relays.
> Yes.  I just notice that it only hit my FreeBSD one, but not the OpenBSD
> ones. The OpenBSD ones are using the default pf.conf.
>>> We should discuss mitigation on the operating system level with
>>> host-based firewalling and syctl knobs in a separate thread, but the new
>>> tor -alpha release is supposed to deal with the issue.
>> The new release mitigates the issue by consuming less RAM.
>> We also recommend the following Tor config mitigations:
>> * set MaxMemInQueues to the amount of free RAM available per tor
>>  instance, minus a few hundred megabytes for other data structures.
>> * give Tor as many file descriptors as you have available (again, minus
>>  those needed for other purposes).
> Yes.
>> ...
> I'm not yet sure if my overly hacked pf.conf is causing an issue now,
> but I'm wondering about two things that others might have insight about:
> 1. is there a timeout that can be set for Tor connections,

MaxOnionQueueDelay could keep your queues shorter.
But you probably want MaxMemInQueues for this.

> and also for
> Directory Connections?

I'm not sure, I don't think so.
And newer clients use the ORPort to fetch directory documents.

> 2. is there some formula to scale advertised bandwidth to number of
> states that should be allowed?

I don't understand the question.

Do you want to set MaxAdvertisedBandwidth on the relay?
What are the states for?

> It is really high-time for assessing pf.conf rulesets and Tor.


Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
xmpp: teor at torproject dot org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20171223/267516fa/attachment.bin>

More information about the Tor-BSD mailing list