Script >v.5

[ToterEngel]

I've been using the "new" scripts since yesterday.
However, after this time fewer IP addresses are blocked than before.

The system load also shoots up more often.
Both relays are also red again as overloaded.

So for my taste it makes more sense to make the rules even stricter.

[Enkidu-6]

I'm personally not a fan of hashlimits at all but I'm using it because of the new nature of the attacks. They make fewer concurrent connection attempts which is why the block lists don't populate as much but they also take full advantage of the connections they already have by maximizing the throughput and creating far more requests than before.

That is why you see the load shoot up and Tor go to the overloaded state more often. This kept happening too often for the past week or so, which is why I added the hashlimit rule to deal with it. I'm still trying to tune the hashlimit value but for now burst of 4 seems to answer better. Please use the newest update.sh to make sure you have the correct burst value.

As for making it more strict, I'm not sure how stricter we can go. We allow a maximum of two connections regardless of them being in the block list or not. I guess we can eventually try a maximum of one, but I'm not prepared to go that far yet. May be at some point in the future we may have to go that route.

The rules are exactly the same as before except for the hashlimit addition. Which means if you prefer the old rules, all you have to do is to comment out lines 31 and 46 of the updates.sh by putting a # to the left and you'd be running the same rules as version 4.0 but I suggest you give the new one a try for now and as we get more feedback we can fine tune the rules.

[Enkidu-6]

By the way this is what I'm talking about when I say the nature of the attack

The bright green is what comes in and the dark green is what we let go out. The spike is almost twice the MaxAdvertisedBandwidth in torrc but they don't care about what bandwidth you advertise, which is what makes Tor's message not only meaningless but wrong when it tells you your system is overloaded and you should adjust your MaxAdvertisedBandwidth.

[ToterEngel]

With traffic, these load peaks are relatively unnoticeable to me, but with Load & CPU...

[Enkidu-6]

Yes, when you get that kind of incoming load, you'd get a huge spike in RAM and CPU usage which is the whole point of the attack. But the good news is that your RAM will go back to where it was after a few minutes.