# DoS mitigation tips Anyone relays, especially exit and directory relays, are vulnerable to DoS attacks that can degrade performance or disrupt services. Anon provides built-in DoS mitigation options to protect relays from excessive circuit creation, connection flooding, or stream abuse. \ \ Below are some parameters that can be configured in your `anonrc` file for enhanced protection. ### :small\_blue\_diamond:Circuit Creation DoS Protection Protects your relay from excessive circuit creation attempts. ``` DoSCircuitCreationEnabled 1 DoSCircuitCreationBurst 30 DoSCircuitCreationRate 3 DoSCircuitCreationMinConnections 3 DoSCircuitCreationDefenseTimePeriod 3600 seconds DoSCircuitCreationDefenseType 2 ``` {% hint style="info" %} `DefenseType 2` will **refuse** circuit creation for the defined period if thresholds are exceeded.\ Helps prevent CPU exhaustion from malicious circuits. {% endhint %} ### :small\_blue\_diamond:Connection Flooding Protection Limits the rate and number of incoming connections to avoid exhaustion. ``` DoSConnectionEnabled 1 DoSConnectionDefenseType 2 DoSConnectionMaxConcurrentCount 50 DoSConnectionConnectRate 20 DoSConnectionConnectBurst 30 DoSConnectionConnectDefenseTimePeriod 24 hours ``` {% hint style="info" %} `DefenseType 2` immediately closes excessive new connections.\ Recommended for middle and exit relays exposed to public traffic. {% endhint %} ### :small\_blue\_diamond:Stream Abuse Protection Protects against exit traffic generating too many streams per circuit. ``` DoSStreamCreationEnabled 1 DoSStreamCreationDefenseType 3 DoSStreamCreationRate 100 DoSStreamCreationBurst 200 ``` {% hint style="info" %} Only needed for **exit nodes**. {% endhint %} ### :small\_blue\_diamond:Hidden Service DoS Protection Protects your hidden service from introduction/rendezvous DoS attacks. ``` HiddenServiceEnableIntroDoSBurstPerSec 200 HiddenServiceEnableIntroDoSRatePerSec 25 HiddenServicePoWDefensesEnabled 1 HiddenServicePoWQueueRate 250 HiddenServicePoWQueueBurst 2500 CompiledProofOfWorkHash 1 ``` {% hint style="info" %} Includes:\ Proof-of-Work requirements\ Rate-limiting on intro points {% endhint %} ### :small\_blue\_diamond:Disable Single-Hop Client Rendezvous If you're running any type of **relay**, you can disallow single-hop client circuits to further reduce abuse, but it's completely optional. ``` DoSRefuseSingleHopClientRendezvous 1 ``` *** ### :small\_blue\_diamond:RTFM For a better understanding of DoS mitigation strategies and configurations, please refer to the Anon Manual under [#denial-of-service-mitigation-options](https://docs.anyone.io/sdk/native-sdk/manual#denial-of-service-mitigation-options "mention") The manual offers technical explanations and guidance to help you tailor your relay's defenses effectively. {% content-ref url="../../sdk/native-sdk/manual" %} [manual](https://docs.anyone.io/sdk/native-sdk/manual) {% endcontent-ref %}