Denial of Service (DoS) mitigations¶
Onionspray implements many of the available Onion service DoS protections that can be used alone or altogether.
Introduction Point-based defenses¶
To mitigate DoS attacks at the introduction points, use the following settings, here provided with example values:
set tor_intro_dos_defense 1
set tor_intro_dos_burst_per_sec 200
set tor_intro_dos_rate_per_sec 25
They work exactly as C Tor's HiddenServiceEnableIntroDoSDefense
HiddenServiceEnableIntroDoSBurstPerSec
and
HiddenServiceEnableIntroDoSRatePerSec
1.
Proof of Work (PoW) protection¶
The following configuration options are available to enable and fine-tune PoW:
set tor_pow_enabled 1 set tor_pow_queue_rate 250 set tor_pow_queue_burst 2500
They're analogous to C Tor's HiddenServicePoWDefensesEnabled
,
HiddenServicePoWQueueRate
and HiddenServicePoWQueueBurst
configuration
options1.
Please tune them according to your needs.
Stream-based defenses¶
Connections can be limited in the rendezvous streams by using these settings (change the number according to your needs):
set tor_max_streams 2000
set tor_max_streams_close_circuit 1
They account, respectively, to C Tor's HiddenServiceMaxStreams
and
HiddenServiceMaxStreamsCloseCircuit
1.
Load balancing¶
Check the load balancing page for details.
Webserver rate limiting¶
This is partially built through this setting equivalent to C Tor's
HiddenServiceExportCircuitID
1:
set tor_export_circuit_id haproxy
When this is set to haproxy
, the Onion Service circuit IDs will be available
for the proxy (and will show up in the logs), but we still proxy integration to
do full rate limiting, which is a task being tracked on ticket
tpo/onion-services/onionspray#18.
You can further expose this identifier to the backend/upstream HTTP web server
by using the following configuration setting in conjunction with
tor_export_circuit_id
:
set nginx_x_onion_circuit_id 1
This makes NGINX add a X-Onion-CircuitID
HTTP header to any request passed
to the upstream site, which can them be used of metrics gathering or to do
rate limiting.