> For the complete documentation index, see [llms.txt](https://docs.anyone.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.anyone.io/relay/troubleshooting/dos-mitigation.md). # DoS mitigation tips Anyone relays, especially exit and directory relays, are vulnerable to DoS attacks that can degrade performance or disrupt services. Anon provides built-in DoS mitigation options to protect relays from excessive circuit creation, connection flooding, or stream abuse. \ \ Below are some parameters that can be configured in your `anonrc` file for enhanced protection. ### :small\_blue\_diamond:Circuit Creation DoS Protection Protects your relay from excessive circuit creation attempts. ``` DoSCircuitCreationEnabled 1 DoSCircuitCreationBurst 30 DoSCircuitCreationRate 3 DoSCircuitCreationMinConnections 3 DoSCircuitCreationDefenseTimePeriod 3600 seconds DoSCircuitCreationDefenseType 2 ``` {% hint style="info" %} `DefenseType 2` will **refuse** circuit creation for the defined period if thresholds are exceeded.\ Helps prevent CPU exhaustion from malicious circuits. {% endhint %} ### :small\_blue\_diamond:Connection Flooding Protection Limits the rate and number of incoming connections to avoid exhaustion. ``` DoSConnectionEnabled 1 DoSConnectionDefenseType 2 DoSConnectionMaxConcurrentCount 50 DoSConnectionConnectRate 20 DoSConnectionConnectBurst 30 DoSConnectionConnectDefenseTimePeriod 24 hours ``` {% hint style="info" %} `DefenseType 2` immediately closes excessive new connections.\ Recommended for middle and exit relays exposed to public traffic. {% endhint %} ### :small\_blue\_diamond:Stream Abuse Protection Protects against exit traffic generating too many streams per circuit. ``` DoSStreamCreationEnabled 1 DoSStreamCreationDefenseType 3 DoSStreamCreationRate 100 DoSStreamCreationBurst 200 ``` {% hint style="info" %} Only needed for **exit nodes**. {% endhint %} ### :small\_blue\_diamond:Hidden Service DoS Protection Protects your hidden service from introduction/rendezvous DoS attacks. ``` HiddenServiceEnableIntroDoSBurstPerSec 200 HiddenServiceEnableIntroDoSRatePerSec 25 HiddenServicePoWDefensesEnabled 1 HiddenServicePoWQueueRate 250 HiddenServicePoWQueueBurst 2500 CompiledProofOfWorkHash 1 ``` {% hint style="info" %} Includes:\ Proof-of-Work requirements\ Rate-limiting on intro points {% endhint %} ### :small\_blue\_diamond:Disable Single-Hop Client Rendezvous If you're running any type of **relay**, you can disallow single-hop client circuits to further reduce abuse, but it's completely optional. ``` DoSRefuseSingleHopClientRendezvous 1 ``` *** ### :small\_blue\_diamond:RTFM For a better understanding of DoS mitigation strategies and configurations, please refer to the Anon Manual under [Manual](/sdk/native-sdk/manual.md#denial-of-service-mitigation-options) The manual offers technical explanations and guidance to help you tailor your relay's defenses effectively. {% content-ref url="/pages/u2rzmJTz21NEQcXIkJ4b" %} [Manual](/sdk/native-sdk/manual.md) {% endcontent-ref %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.anyone.io/relay/troubleshooting/dos-mitigation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.