DoS mitigation tips

Anyone relays, especially exit and directory relays, are vulnerable to DoS attacks that can degrade performance or disrupt services. Anon provides built-in DoS mitigation options to protect relays from excessive circuit creation, connection flooding, or stream abuse. Below are some parameters that can be configured in your anonrc file for enhanced protection.

🔹Circuit Creation DoS Protection

Protects your relay from excessive circuit creation attempts.

DoSCircuitCreationEnabled 1
DoSCircuitCreationBurst 30
DoSCircuitCreationRate 3
DoSCircuitCreationMinConnections 3
DoSCircuitCreationDefenseTimePeriod 3600 seconds
DoSCircuitCreationDefenseType 2

🔹Connection Flooding Protection

Limits the rate and number of incoming connections to avoid exhaustion.

DoSConnectionEnabled 1
DoSConnectionDefenseType 2
DoSConnectionMaxConcurrentCount 50
DoSConnectionConnectRate 20
DoSConnectionConnectBurst 30
DoSConnectionConnectDefenseTimePeriod 24 hours

🔹Stream Abuse Protection

Protects against exit traffic generating too many streams per circuit.

🔹Hidden Service DoS Protection

Protects your hidden service from introduction/rendezvous DoS attacks.

🔹Disable Single-Hop Client Rendezvous

If you're running any type of relay, you can disallow single-hop client circuits to further reduce abuse, but it's completely optional.

🔹RTFM

For a better understanding of DoS mitigation strategies and configurations, please refer to the Anon Manual under

DENIAL OF SERVICE MITIGATION OPTIONS

The manual offers technical explanations and guidance to help you tailor your relay's defenses effectively.