So I'm thinking putting the tor daemon behind some third party TCP proxy that will protect me from this kind of DDoS attack.

What do you think if I want to implement a feature that forward all the onion service traffic to the TCP proxy before going to the Tor network?

The protocol that I'm thinking is TCP Proxy Protocol [1]


You could try the existing HTTPSProxy torrc option?

HTTPSProxy host[:port]

Tor will make all its OR (SSL) connections through this host:port (or host:443 if port is not specified), via HTTP CONNECT rather than connecting directly to servers. You may want to set FascistFirewall to restrict the set of ports you might try to connect to, if your HTTPS proxy only allows connecting to certain ports.


Tor also allows an intelligent firewall to filter circuits using a field in haproxy protocol format, see HiddenServiceExportCircuitID for details. But you probably won't need this advanced feature.


I feel that HTTPSProxy is too expensive. As far as I know, it needs to do (1) tcp handshake, (2) tls handshake, and (3) http connect. If I can use haproxy, it would be just one tcp handshake.

Could I propose another option for haproxy?
I can do it myself. You just review and merge :)

Haxxpop