protect a Tor relay against DDoS attacks

protect a Tor relay against DDoS attacks

For several weeks, users have been voicing concerns (see https://www.reddit.com/r/TOR/comments/1cnmsdz/tor_extremely_slow_lately/, https://forum.torproject.org/t/is-there-currently-a-major-ddos-affecting-the-networks-availability/12492, etc) about experiencing degraded performance (slow speeds, timeouts) when using Tor to access both v3 onion sites and clearnet websites. Personally, I've found that most v3 onion services are so slow that they are effectively unusable. For this reason, I have installed some scripts here and checked whether my Tor relays here have a benefit from it.

I found some scripts on GitHub:

toralf/torutils: Few tools for a Tor relay. (github.com)

Enkidu-6/tor-ddos: iptables rules for Tor relay operators to mitigate ddos (github.com)

ipset is a tool for managing IP sets in the context of the Linux network stack. IP sets are essentially data structures that can store collections of IP addresses, network addresses, ports or other network-related objects. These sets are often used in combination with iptables to create more efficient and flexible firewall rules.

Here are some of the main use cases and features of ipset:

    Performance: since IP sets are optimized to handle large amounts of IP addresses, they allow for faster lookup operations compared to traditional iptables rules that need to be searched sequentially.

    Flexibility: IP sets can be used to create different types of sets, e.g:
        hash:ip: A set of individual IP addresses.
        hash:net: A set of networks.
        hash:ip,port: A set of IP addresses and ports.
        bitmap:ip: A set of IP addresses in a specific range.
        list:set: A set that can contain other IP sets.

    Dynamics: IP sets can be changed dynamically at runtime without having to change existing iptables rules. This means that IP addresses can be added to or removed from a set without affecting performance or interrupting existing connections.

Summary

ipset is a powerful tool for the efficient management and use of IP addresses and networks within iptables rules. It offers considerable performance and flexibility advantages, especially when large numbers of IP addresses or complex firewall rules need to be managed.

I personally use the UFW on my TOR relays.

ufw (Uncomplicated Firewall) is a user interface for iptables that makes it easier to configure firewall rules. ipset and ufw are two separate tools, but they can be used together to simplify and optimize the management of firewall rules.
Using ipset with ufw

By default, ufw does not support direct integration with ipset. However, you can use ipset to create IP sets and then include them in iptables rules that complement ufw rules.

To ensure that this rule remains persistent when the system or firewall is restarted, you can add it to an ufw configuration script.

Open the file /etc/ufw/before.rules with a text editor.

Summary

ipset and ufw are separate tools that can be used together to optimize the management of firewall rules. ipset can be used to efficiently manage large amounts of IP addresses, while ufw provides a user-friendly interface for iptables. By adding ipset rules to the ufw configuration files, you can take advantage of both tools.