aboutsummaryrefslogtreecommitdiff
path: root/doc/man
diff options
context:
space:
mode:
authortrinity-1686a <trinity@deuxfleurs.fr>2023-09-10 16:47:17 +0200
committerDavid Goulet <dgoulet@torproject.org>2023-10-18 13:06:10 -0400
commit3970ee6a07035c6028edd890b5d28bb7a71e0833 (patch)
tree5c719ec75053a1048905ec85c78d090e0fa70704 /doc/man
parentf8b259c2fe2208889a26a7d9494fea0c1b97f7a4 (diff)
downloadtor-3970ee6a07035c6028edd890b5d28bb7a71e0833.tar.gz
tor-3970ee6a07035c6028edd890b5d28bb7a71e0833.zip
add changes/ and man entries for stream dos mitigation
Diffstat (limited to 'doc/man')
-rw-r--r--doc/man/tor.1.txt38
1 files changed, 38 insertions, 0 deletions
diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt
index cfac33d962..101c14f0d1 100644
--- a/doc/man/tor.1.txt
+++ b/doc/man/tor.1.txt
@@ -3037,6 +3037,44 @@ Denial of Service mitigation subsystem described above.
consensus parameter. If not defined in the consensus, the value is 0.
(Default: auto)
+The following options are useful only for a exit relay.
+
+[[DoSStreamCreationEnabled]] **DoSStreamCreationEnabled** **0**|**1**|**auto**::
+
+ Enable the stream DoS mitigation. If set to 1 (enabled), tor will apply
+ rate limit on the creation of new streams and dns requests per circuit.
+ "auto" means use the consensus parameter. If not defined in the consensus,
+ the value is 0. (Default: auto)
+
+[[DoSStreamCreationDefenseType]] **DoSStreamCreationDefenseType** __NUM__::
+
+ This is the type of defense applied to a detected circuit or stream for the
+ stream mitigation. The possible values are:
+ +
+ 1: No defense.
+ +
+ 2: Reject the stream or resolve request.
+ +
+ 3: Close the circuit creating to many streams.
+ +
+ "0" means use the consensus parameter. If not defined in the consensus, the value is 2.
+ (Default: 0)
+
+[[DoSStreamCreationtRate]] **DoSStreamCreationRate** __NUM__::
+
+ The allowed rate of stream cretion from a single circuit per second. Coupled
+ with the burst (see below), if the limit is reached, actions can be taken
+ against the stream or circuit (DoSStreamCreationDefenseType). If not defined or
+ set to 0, it is controlled by a consensus parameter. If not defined in the
+ consensus, the value is 100. (Default: 0)
+
+[[DoSStreamCreationBurst]] **DoSStreamCreationBurst** __NUM__::
+
+ The allowed burst of stream creation from a circuit per second.
+ See the DoSStreamCreationRate for more details on this detection. If
+ not defined or set to 0, it is controlled by a consensus parameter. If not
+ defined in the consensus, the value is 300. (Default: 0)
+
For onion services, mitigations are a work in progress and multiple options
are currently available.