Forwarding to mailing list since OP has replied to my e-mail address, and not the list.
---------- Forwarded message ---------- From: William Kane ttallink@googlemail.com Date: Mon, 23 Nov 2020 16:07:39 +0000 Subject: Re: Re: [tor-relays] Bridges under DDoS To: BRBfGWMz brbfgwmz@concealed.company
Dear BRBfGWMz, you can use this script I made a while ago - please read the entire message carefully or you risk locking yourself out of the system.
Here you go:
#!/bin/bash
IPTABLES="/usr/sbin/iptables"
# Flush all old rules and tables.
$IPTABLES -F $IPTABLES -X $IPTABLES -t nat -F $IPTABLES -t nat -X
# Establish default policies.
$IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT
# Unconditionally allow local traffic.
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow already established connections.
$IPTABLES -A INPUT -i <NETWORK_INTERFACE> -m state --state ESTABLISHED -j ACCEPT
# Allow Tor ORPort traffic.
$IPTABLES -A INPUT -i <NETWORK_INTERFACE> -p tcp --dport <YOUR_ORPORT> -j ACCEPT
Note that this is for a normal Tor relay, not a bridge - for a bridge, just opening the inbound obfs4proxy port is enough, though.
You will have to make adjustments, namely specifying the name of your public network interface ("ip addr" or "ifconfig", either one will work on modern distributions). Make sure to also open the port sshd, your SSH daemon, bound to or you will be locked out from the system after executing the script (!).
If you are on Arch Linux, you can save the script to /etc/iptables/iptables.rules (execute the script and then run "iptables-save > /etc/iptables/iptables.rules", after that the only thing left to do is to enable the according systemd service unit to automatically load the rules on boot ("systemctl enable iptables").
If on Debian, you can specify a script to run as soon as your public network interface reaches the "up" state, directly in your network configuration.
Note that this will just drop unknown incoming connections (ICMP traffic as well, so you won't be able to ping your server anymore), usually the best measure, you could also configure it to reject unknown TCP packets but this will generate additional outbound traffic (which is what an attacker might want).
Please also note that if you are running a IPv6 enabled relay, you will have to use ip6tables instead of iptables - you will also have to allow all incoming ICMPv6 traffic through ip6tables, with plain IPv4 you don't really need to allow ICMP packets, with IPv6, it's absolutely required.
Hope I helped, never be afraid to ask questions, I am here to help.
2020-11-22 21:12 GMT, BRBfGWMz brbfgwmz@concealed.company:
Are the locations for the relays that are set up during the process of setting up relays for a single machine truely random (or pseudorandom), or is there any dependence on the ip/location of my desktop?
On Tue, Nov 17, 2020 at 08:48 AM, William Kane ttallink@googlemail.com wrote:
If your server is not responding, no harm done (likely already done if
you have iptables set up to drop unknown (established flag not set)
incoming traffic.).
If it's somehow maxing out your connection speed, then time to talk to
your upstream provider / hosting company - very likely they already
have anti dos equipment on their network, and many would just re-route
a customer through it until the attack stops, but it might cost you
some money.
2020-11-13 17:03 GMT, Jonas jonasdietrich@ctemplar.com:
According to packetflow traces, roughly 26,000 unique IPv4 from 85
countries
executing a SYN flood attack on TCP/9001. None of my bridges have 9001
open
nor respond to this port. The attacks continue to this day.
Danke.
Jonas
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
-- Sent using MsgSafe.io's Free Plan Private, encrypted, online communication For everyone. https://www.msgsafe.io
tor-relays@lists.torproject.org
-
William Kane