Opened 11 months ago

Last modified 4 months ago

#19740 needs_information defect

(new ?) efficient attack against an exit relay

Reported by: toralf Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Today I was faced by an DDoS attack which looks different from all the ones I observed in former times.

Former attacks shows a characteristic where the malicious IN traffic was just on top of the usual network load (as seen in
The attack today looks like that the IN traffic supersedes the usual network load completely (

The system is a stable hardened Gentoo Linux with latest kernel.

Child Tickets

Change History (3)

comment:1 Changed 11 months ago by toralf

  • Summary changed from (new ?) efficient atatcka gainst an exit relay to (new ?) efficient attack against an exit relay

comment:2 Changed 11 months ago by toralf

B/c an iptables counter rule showed over 145 millions connections to port 80 I added 2 rules to iptables :

  #  Tor
  # limit max. number per second
  $IPT -A INPUT -p tcp --destination-port 80 --syn --match connlimit --connlimit-above 1000 -j DROP
  # limit max. number per IP address
  $IPT -A INPUT -p tcp --destination-port 80 --syn --match connlimit --connlimit-above 2 --connlimit-mask 32 -j DROP
Last edited 11 months ago by toralf (previous) (diff)

comment:3 Changed 4 months ago by nickm

  • Milestone set to Tor: unspecified
  • Status changed from new to needs_information
Note: See TracTickets for help on using tickets.