Skip to content

Releases: Enkidu-6/tor-ddos

v7.0.5

25 Oct 07:42
3a30dd4
Compare
Choose a tag to compare

New versions of Debian don't come with iptables. The script now installs iptables-nft automatically before applying the rules.

v7.0.4

10 Jul 23:21
3e7c29b
Compare
Choose a tag to compare
  • Fixed a bug in download.sh
  • Added sorting to compare file
  • Added number count to relays caught in the block list
  • Other code clean up

v7.0.3

16 Mar 04:59
87a1be4
Compare
Choose a tag to compare
  • Some code improvements and bug fixes.
  • Check for the existence of multiple ipv4.txt and ipv6.txt files on the system during update and giving the user the chance to backup the extra files and keep only one.
  • Fixed a bug that would cause the rule generation to fail during the update.
  • Combined conntrack.sh and conntrack-2.sh into one. You no longer have to choose which file to use for your OS. It will now recognize your OS and runs the script specific to yours.
  • conntrack.sh can be run independently whether you apply the rest of the scripts or not. So long as you have conntrack on your system, you can use conntrack.sh by itself to see some helpful information regarding the state of your connections and the IP addresses that are connected to your relay.

Full Changelog: v7.0.2...v7.0.3

v7.0.2

10 Mar 17:24
eddcce5
Compare
Choose a tag to compare

Bug fixes.

v7.0.1

09 Mar 20:30
deea184
Compare
Choose a tag to compare

Minor cosmetic changes

v7.0.0

08 Mar 00:54
c06ed79
Compare
Choose a tag to compare

Modified rules to deal better with the current ongoing attack.

  • Most scripts were rewritten to make them cleaner and got rid of some bugs
  • The number of connections from Snowflake servers are now also included in conntrack.sh .
  • The list of IPs with more than two connections is now also sorted by the number of connections.
  • The number of allowed connections for Multi-OR relays was reduced as once a multi-OR server is attacked they can pass on a huge amount of data to other relays by creating multiple connections from each of their Tor instances.
  • Added a new rule to disconnect the IPs in the block list as soon as possible, not allowing them to hold on to the existing allowed connections even though they're blocked.
  • The above new rule is the only rule added by the scripts to the default INPUT chain. Since the INPUT chain - unlike the mangle - might have your personal rules as well, we do not clear it with the -F command. Instead we only remove the specific rule during the refresh and update process to avoid interfering with your existing rules.
  • The installation process is now a lot more straight forward and requires minimal effort on your part.
  • The new download.sh is the only file you need to run initially. It will take you through all the steps and applies the rules after you answer a few questions.
  • The script will download all the files in the Repository to $PWD/tor. No need to clone the Repository or download the files yourself.
  • The script attempts to search for the existing ipv4.txt anywhere on your system and if found, will give you the option to upgrade from a previous version or simply start over.
  • The script will check for your OS Release and if you are running on Ubuntu or Debian, it will install ipset and conntrack using apt, as they don't come with the OS by default. You no longer need to install them yourself.

Please feel free to ask for help in the discussion section of the Repo and let me know how the scripts work or don't work for you.

v6.1.0

15 Mar 17:06
bc4ce8c
Compare
Choose a tag to compare

The contents of refresh-authorities.sh has changed. Please replace your current copy with the new one to ensure your ipset is properly populated.

v6.0.0

18 Feb 12:55
2133efe
Compare
Choose a tag to compare

This is major update as we are now dealing with relays that are running more than two instances of Tor.
-The rules have gone through 13 days of testing on two relays with no problems or complications.

  • A new ipset is added for relays with above 2 instances of Tor. They are now allowed one connection per ORPort.
  • Relays with Two ORPorts are kept in their own list and as usual, are allowed two connections.
  • refresh-authorities.sh is now modified to also refresh the multi-OR list.
  • remove-dual-or.sh is modified to also remove multi-or IP addresses from the block list as well as dual-OR relays.
  • The above two files will be renamed in one of the future minor updates for the sake of accuracy. The names were left unchanged to make the update to a new major version as seamless as possible.
  • conntrack.sh and conntrack-2.sh were modified to reflect multi-or relays.
  • compare.sh was modified to reflect and allow manual removal of multi-or relays from the block list as well.
  • A new script dynamic.sh is now added for operators who have a dynamically changing IP address.
  • Some cosmetic changes
  • A few bug fixes.
  • No need to change current cron jobs as there are no file name changes.
  • Simply use update.sh to update your rules with no downtime.

Finally, for the sake of transparency, at the time of this release there are only 69 IP addresses running more than two instances of tor, out of which 52 are Exit relays with zero middle and zero Guard probability. However I believe people must have the option so they can choose for themselves, hence the new rules.

Cheers.

v5.1.1

21 Jan 09:39
722b1ed
Compare
Choose a tag to compare

Minor modification.

  • Added a rule to catch the bad guys sooner.
  • Update.sh can be used to update the rules with no downtime.

v5.1.0

14 Jan 20:44
6d0f9d3
Compare
Choose a tag to compare

There's a significant change in the rules for this version but you can still use update.sh to update.

  • Removed the hashlimit rules.
  • We now have a new ipset list of dual-or relays and we allow them two connections exclusively.
  • All other relays and clients will get one connection at a time. They're not banned which means if they close the first connection, they can open another.
  • The update.sh was rewritten to reflect the new rules.
  • update-authorities.sh was rewritten to update the dual-or relay list as well. The cron could be run once a day or every other day as those ip addresses don't change very often.
  • Changed the rules file created by update.sh to update-rules so it doesn't rewrite the rules file created by multi.sh
  • Other minor cleanups of the scripts.
  • Updated README.md to reflect the new changes