diff options
| author | David Goulet <dgoulet@torproject.org> | 2021-01-26 11:42:52 -0500 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2021-02-22 15:48:42 -0500 |
| commit | 94b56eaa7597e4a091a5b51d2c9032ea046631e3 (patch) | |
| tree | 4c5c2d9cb88e023431028338145ab286d74341da /doc | |
| parent | 6e3a7c410f2c0cfd2f705862cc4d32acd0a88096 (diff) | |
| download | tor-94b56eaa7597e4a091a5b51d2c9032ea046631e3.tar.gz tor-94b56eaa7597e4a091a5b51d2c9032ea046631e3.zip | |
dos: New client connect rate detection
This is a new detection type which is that a relay can now control the rate of
client connections from a single address.
The mechanism is pretty simple, if the rate/burst is reached, the address is
marked for a period of time and any connection from that address is denied.
Closes #40253
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man/tor.1.txt | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt index 3538d94b8e..3756d26522 100644 --- a/doc/man/tor.1.txt +++ b/doc/man/tor.1.txt @@ -2936,6 +2936,30 @@ Denial of Service mitigation subsystem described above. consensus, the value is 100. (Default: 0) +[[DoSConnectionConnectRate]] **DoSConnectionConnectRate** __NUM__:: + + The allowed rate of client connection from a single address per second. + Coupled with the burst (see below), if the limit is reached, the address + is marked and a defense is applied (DoSConnectionDefenseType) for a period + of time defined by DoSConnectionConnectDefenseTimePeriod. If not defined + or set to 0, it is controlled by a consensus parameter. + (Default: 0) + +[[DoSConnectionConnectBurst]] **DoSConnectionConnectBurst** __NUM__:: + + The allowed burst of client connection from a single address per second. + See the DoSConnectionConnectRate for more details on this detection. If + not defined or set to 0, it is controlled by a consensus parameter. + (Default: 0) + +[[DoSConnectionConnectDefenseTimePeriod]] **DoSConnectionConnectDefenseTimePeriod** __N__ **seconds**|**minutes**|**hours**:: + + The base time period in seconds that the client connection defense is + activated for. The actual value is selected randomly for each activation + from N+1 to 3/2 * N. If not defined or set to 0, it is controlled by a + consensus parameter. + (Default: 24 hours) + [[DoSRefuseSingleHopClientRendezvous]] **DoSRefuseSingleHopClientRendezvous** **0**|**1**|**auto**:: Refuse establishment of rendezvous points for single hop clients. In other |