DoS mitigation parameters

Denial-of-Service (DoS) Protection

Anyone relays, especially exit and directory relays, are vulnerable to DoS attacks that can degrade performance or disrupt services. Anon provides built-in DoS mitigation options to protect relays from excessive circuit creation, connection flooding, or stream abuse. Below are some parameters that can be configured in your anonrc file for enhanced protection.

🔹Circuit Creation DoS Protection

Protects your relay from excessive circuit creation attempts.

DoSCircuitCreationEnabled 1
DoSCircuitCreationBurst 30
DoSCircuitCreationRate 3
DoSCircuitCreationMinConnections 3
DoSCircuitCreationDefenseTimePeriod 3600 seconds
DoSCircuitCreationDefenseType 2

DefenseType 2 will refuse circuit creation for the defined period if thresholds are exceeded. Helps prevent CPU exhaustion from malicious circuits.

🔹Connection Flooding Protection

Limits the rate and number of incoming connections to avoid exhaustion.

DoSConnectionEnabled 1
DoSConnectionDefenseType 2
DoSConnectionMaxConcurrentCount 50
DoSConnectionConnectRate 20
DoSConnectionConnectBurst 30
DoSConnectionConnectDefenseTimePeriod 24 hours

DefenseType 2 immediately closes excessive new connections. Recommended for middle and exit relays exposed to public traffic.

🔹Stream Abuse Protection

Protects against exit traffic generating too many streams per circuit.

DoSStreamCreationEnabled 1
DoSStreamCreationDefenseType 3
DoSStreamCreationRate 100
DoSStreamCreationBurst 200

Only needed for exit nodes.

🔹Hidden Service DoS Protection

Protects your hidden service from introduction/rendezvous DoS attacks.

HiddenServiceEnableIntroDoSBurstPerSec 200
HiddenServiceEnableIntroDoSRatePerSec 25
HiddenServicePoWDefensesEnabled 1
HiddenServicePoWQueueRate 250
HiddenServicePoWQueueBurst 2500
CompiledProofOfWorkHash 1

Includes: Proof-of-Work requirements Rate-limiting on intro points

🔹Disable Single-Hop Client Rendezvous

If you're running any type of relay, you can disallow single-hop client circuits to further reduce abuse, but it's completely optional.

DoSRefuseSingleHopClientRendezvous 1


🔹RTFM

For a better understanding of DoS mitigation strategies and configurations, please refer to the Anon Manual under

DENIAL OF SERVICE MITIGATION OPTIONS

The manual offers technical explanations and guidance to help you tailor your relay's defenses effectively.

MAN - Anon Manual

Last updated