Anyone Docs
  • 🔷The Documentation For Anyone
    • About
    • FAQ
  • 🔷Relay Setup
    • Get Started
    • Relay Operator Standards
    • Installation and Usage
      • Virtualization on Windows
      • Virtualization on macOS
      • Install Ubuntu Server 24.04
      • Server management with SSH in Windows and macOS
      • Install Anon on Linux
      • Firewall and Network Configurations
        • Router Port Forwarding
        • Install and Configure Firewall
      • Troubleshooting Common Issues
        • Diagnosing CGNAT and Public IPv4
        • Confirm ORPort Reachability
        • Configure IPv4 and IPv6
      • Advanced Configuration
        • Install Anon using the apt repository
          • Binary Verification
        • Install Anon in Docker
        • Install Anyone Exit Relay
          • Exit Relay Guidelines
        • DoS mitigation parameters
        • Update Anon and accept terms and conditions
        • Configure SOCKS5 Proxy for Anyone
  • 🔷Hardware Setup
    • Setup Guide
    • Router Mode Setup
    • Description and Specifications
    • Relay Control Panel Pages
      • Home
      • Network Settings
      • Relay Settings
      • Relay Family
      • Proxy Settings BETA
      • Change Password
      • Logs
      • Update
    • Hardware Updates
      • System Update (USB)
      • System Update (WebUI)
      • Anon Update (WebUI)
    • Troubleshooting and additional configuration
      • Router Port Forwarding
      • Diagnosing CGNAT and Public IPv4
  • 🔷Security and Privacy
    • VPS Hardening
  • 🔷Rewards Dashboard
    • Registering to the Rewards Program
    • Accessing the Rewards Dashboard
    • Using the Rewards Dashboard
    • Rewards Status
  • 🔷Anyone SDK
    • NPM SDK
      • Install NPM Package
      • Run as Library
        • Anon
        • AnonSocksClient
        • AnonControlClient
      • Run from CLI
      • Tutorials
        • Hello Anon World I
        • Hello Anon World II
        • Circuit Control I
        • Circuit Control II
    • Native SDK
      • Anyone Client Releases
      • MAN - Anon Manual
      • Tutorials
        • Anyone Services I
        • Anyone Services II
    • iOS SDK [Beta]
      • Manual Install - CocoaPods
  • 🔷Connect to Anyone
    • Connecting to Linux
      • [Beta] One-Click Linux Setup
    • Connecting to macOS
      • macOS with NPM
      • [Beta] One-Click macOS Setup
    • Connecting to Windows
      • [Beta] One-Click Windows Setup
    • Individual Applications with Anyone
    • Connect Through Hardware
  • 🔷Tokenomics
    • Introduction
    • Token Distribution
      • Token Outflow
      • Other Tokens
      • Multichain
    • Relay Rewards
      • Lock Requirement
      • Lock Adjustments
      • Reward Multipliers
    • Additional Roles
      • Authorities and Staking
      • Governance Voting
    • Premium Circuits
      • Premium Circuits
      • Premium Circuits: Metrics
    • Summary
      • Value Accrual Summary
      • Rewards Case Study
    • Appendix
      • M Derivation
      • Risk Equation Derivation
  • 🔷Resources
    • Community and Customer Support
    • Links
    • Token
    • Whitepaper
    • Roadmap
    • API
      • REST
      • [Future] GraphQL
Powered by GitBook
On this page
  • Circuit Creation DoS Protection
  • Connection Flooding Protection
  • Stream Abuse Protection
  • Hidden Service DoS Protection
  • Disable Single-Hop Client Rendezvous
  • RTFM
  1. Relay Setup
  2. Installation and Usage
  3. Advanced Configuration

DoS mitigation parameters

Denial-of-Service (DoS) Protection

Last updated 1 month ago

Anyone relays, especially exit and directory relays, are vulnerable to DoS attacks that can degrade performance or disrupt services. Anon provides built-in DoS mitigation options to protect relays from excessive circuit creation, connection flooding, or stream abuse. Below are some parameters that can be configured in your anonrc file for enhanced protection.

Circuit Creation DoS Protection

Protects your relay from excessive circuit creation attempts.

DoSCircuitCreationEnabled 1
DoSCircuitCreationBurst 30
DoSCircuitCreationRate 3
DoSCircuitCreationMinConnections 3
DoSCircuitCreationDefenseTimePeriod 3600 seconds
DoSCircuitCreationDefenseType 2

DefenseType 2 will refuse circuit creation for the defined period if thresholds are exceeded. Helps prevent CPU exhaustion from malicious circuits.

Connection Flooding Protection

Limits the rate and number of incoming connections to avoid exhaustion.

DoSConnectionEnabled 1
DoSConnectionDefenseType 2
DoSConnectionMaxConcurrentCount 50
DoSConnectionConnectRate 20
DoSConnectionConnectBurst 30
DoSConnectionConnectDefenseTimePeriod 24 hours

DefenseType 2 immediately closes excessive new connections. Recommended for middle and exit relays exposed to public traffic.

Protects against exit traffic generating too many streams per circuit.

DoSStreamCreationEnabled 1
DoSStreamCreationDefenseType 3
DoSStreamCreationRate 100
DoSStreamCreationBurst 200

Only needed for exit nodes.

Protects your hidden service from introduction/rendezvous DoS attacks.

HiddenServiceEnableIntroDoSBurstPerSec 200
HiddenServiceEnableIntroDoSRatePerSec 25
HiddenServicePoWDefensesEnabled 1
HiddenServicePoWQueueRate 250
HiddenServicePoWQueueBurst 2500
CompiledProofOfWorkHash 1

Includes: Proof-of-Work requirements Rate-limiting on intro points

If you're running any type of relay, you can disallow single-hop client circuits to further reduce abuse, but it's completely optional.

DoSRefuseSingleHopClientRendezvous 1

For a better understanding of DoS mitigation strategies and configurations, please refer to the Anon Manual under

The manual offers technical explanations and guidance to help you tailor your relay's defenses effectively.

Stream Abuse Protection

Hidden Service DoS Protection

Disable Single-Hop Client Rendezvous

RTFM

🔷
🔹
🔹
🔹
🔹
🔹
🔹
MAN - Anon Manual
DENIAL OF SERVICE MITIGATION OPTIONS