search

Enkidu-6 / tor-ddos

iptables rules for Tor relay operators to mitigate ddos
https://enkidu-6.github.io/tor-ddos/
56 stars 8 forks source link

many overload messages #2

Closed ToterEngel closed 1 year ago

ToterEngel commented 2 years ago

I think the script is well done. At least clearer that even a noob can understand it.

I have now tested these rules for a day, but with half the blocking time.

The number of incoming connections was also almost halved. However, I still have a lot of overload messages in the log.

Are there any other solutions to further optimize it?

Enkidu-6 commented 1 year ago

Ah now we're talking. Yes that's a lot of traffic. I would definitely increase the NumCPUs to at least 16 on each torrc file. Even higher. Worker threads are responsible for decrypting onionskins and Tor decides to keep or drop them based on how long it takes for a worker to become available. By increasing the NumCPUs you're creating available worker threads to be used when needed and until they're needed, they use zero CPU and when they're needed they use something like 1% CPU.

Enkidu-6 commented 1 year ago

To add to the above comment. I'd start at 16 and increase them gradually and look at the NTor percentage in the logs. In my case at 4 CPUs I had about 36% drops. At 8, it went down to 1.5-2.6% . At 12 they disappeared completely. With your bandwidth you'll need a lot more. Play with the numbers to find the magic number. However, I believe you'll have to restart Tor for that to take effect. I don't think a simple -HUP will do the trick. But don't take my word for it. Verify.

ToterEngel commented 1 year ago

Yes, you're right. I've now increased it to 16 and had to reboot. I'm curious to see how long it will take for the relays to fully boot up again. Currently only about 300MBit go over the network card. My maximum a week ago was 830 MBit in Tor, even without bandwidth restrictions. PS: Load average approx. 1.5 currently

Enkidu-6 commented 1 year ago

Oh, I'm not sure if you need to reboot. Did you try to stop and start Tor again? That should do the trick.

ToterEngel commented 1 year ago

In theory, this is enough. However, the last time Tor was restarted, the process hung. Possibly a bug, since I'm currently running the nightly version. Since at least nothing important is running on the server for me, a reboot occasionally doesn't hurt even with a few kernel updates etc. :-D