Skip to content

Denial of Service (DoS) mitigations

Onionspray implements many of the available Onion service DoS protections that can be used alone or altogether.

Introduction Point-based defenses

To mitigate DoS attacks at the introduction points, use the following settings, here provided with example values:

set tor_intro_dos_defense 1
set tor_intro_dos_burst_per_sec 200
set tor_intro_dos_rate_per_sec 25

They work exactly as C Tor's HiddenServiceEnableIntroDoSDefense HiddenServiceEnableIntroDoSBurstPerSec and HiddenServiceEnableIntroDoSRatePerSec1.

Proof of Work (PoW) protection

The following configuration options are available to enable and fine-tune PoW:

set tor_pow_enabled 1 set tor_pow_queue_rate 250 set tor_pow_queue_burst 2500

They're analogous to C Tor's HiddenServicePoWDefensesEnabled, HiddenServicePoWQueueRate and HiddenServicePoWQueueBurst configuration options1.

Please tune them according to your needs.

Stream-based defenses

Connections can be limited in the rendezvous streams by using these settings (change the number according to your needs):

set tor_max_streams 2000
set tor_max_streams_close_circuit 1

They account, respectively, to C Tor's HiddenServiceMaxStreams and HiddenServiceMaxStreamsCloseCircuit1.

Load balancing

Check the load balancing page for details.

Webserver rate limiting

This is partially built through this setting equivalent to C Tor's HiddenServiceExportCircuitID1:

set tor_export_circuit_id haproxy

When this is set to haproxy, the Onion Service circuit IDs will be available for the proxy (and will show up in the logs), but we still proxy integration to do full rate limiting, which is a task being tracked on ticket tpo/onion-services/onionspray#18.

You can further expose this identifier to the backend/upstream HTTP web server by using the following configuration setting in conjunction with tor_export_circuit_id:

set nginx_x_onion_circuit_id 1

This makes NGINX add a X-Onion-CircuitID HTTP header to any request passed to the upstream site, which can them be used of metrics gathering or to do rate limiting.

Notes

  1. Details on these options are available at the tor(1) manual page.