Limiting connections per external IP address

ccgllc

Hi all.

A few months back I started running a TOR non-exit relay, with the TOR port NATed over to the server that supports it. Works just fine.

Unfortunately there are those that believe TOR is evil and they have recently started to attack relays nodes with a connection attack. e.g. They flood the IP with connection request. This shows up on my server as a huge jump in CPU resources, warnings about not having enough CPU to support the number of connections, etc. I could actually live with that, since these attacks are not continuous.

I have circumstantial experienced other services are being disrupted when these attacks happen. We have seen a marked increase in the number of unexpected issues, like Messenger Room connections failing, Netflix "unable to display this title", and similar issues. This is pissing my family off - which is uncool. Everything returns to normal when the attacks stop.

Wondering if there is something simple I could do within my PFSense firewall to at least limit the attacks at the firewall? Thinking something like limiting the number of concurrent connections from an external IP to 30... or something like that.

FWIW - I have a pretty straight forward PFSense Plus installation. I use it for NAT handling and DHCP and NTP services on my LAN. The most complicated things I've done is bridge 3 ethernet ports together to enable usage of more than 1 LAN port. So not a newbie, but hardly an expert.

Appreciate any suggestions!

akuma1x

@ccgllc If this is a normal WAN rule you have created to allow the traffic into your network, there is an option, under ADVANCED, where you can set a max number of unique source IP addresses. Might be worth a try.

Maximum number of unique source hosts

This option specifies how many total source IP addresses may simultaneously connect for this rule. Each source IP address is allowed an unlimited number of connections, but the total number of distinct source IP addresses allowed is restricted to this value.

https://docs.netgate.com/pfsense/en/latest/firewall/configure.html

ccgllc

@akuma1x Hmmm... that might help if the attacks are real DDOS style ones. It feels more like a machine or three spamming connection request - just trying to cause problems.

Is there somewhere I can check to see the number of unique IPs currently connected to me? Would need a count, not a list. Its pretty easy, via "nyx" to know when I'm under attack. If I could see the count, I could tell if such a rule would help or not.

akuma1x

@ccgllc said in Limiting connections per external IP address:

Is there somewhere I can check to see the number of unique IPs currently connected to me? Would need a count, not a list.

Does your TOR software not tell you a count of connected users? I really don't have any idea if they do or not, I don't use it, sorry.

ccgllc

@akuma1x Yeah... just dug around in nyx and found that. Something definitely amiss - I see 20K incoming connections but only 3.3K outbound. As a non-exit middle node, they should match - or so I think. Checking in with the TOR community to confirm that.