[Suggestion][OnionService][DDoS] Add 3 new option, HiddenServiceRejectIntro
Problem: Many people are doing nmap against Tor services. This creates unnecessary traffic not only to Tor network but also Tor service operators.
You really need to do something.
I propose "HiddenServiceRejectIntro."
HiddenServiceDir /WWWWWWWW/
HiddenServiceEnableIntroDoSDefense 1
HiddenServiceEnableIntroDoSRatePerSec X
HiddenServiceEnableIntroDoSBurstPerSec X
HiddenServicePort 80 AAAAAAA
HiddenServicePort 1337 AAAAAAA
HiddenServiceRejectIntro 1
HiddenServiceRejectIntroIfHostNotMatch "^(xmpp|chat)\.mylloonnggoonniioonnnnaammee.onion$"
HiddenServiceRejectIntroIfTargetNotInPort 80,1337
HiddenServiceRejectIntroMinutes 60
- HiddenServiceRejectIntro 1
Default: 0. If 1, reject ANY new request from requestor(tor node which sending this evil request) for {HiddenServiceRejectIntroMinutes} minutes.
- HiddenServiceRejectIntroIfHostNotMatch REGX
Default: unset. If set, flag it as BAD when the host does not match REGX. In this example, mylloonnggoonniioonnnnaammee.onion should be dropped immediately, and still allows chat.mylloonnggoonniioonnnnaammee.onion request.
- HiddenServiceRejectIntroIfTargetNotInPort Port,Port...
Default: unset. If set, when the requestor asked to connect to onionname.onion:123 (which is not opened), flag as BAD and drop immediately without response to requestor.
- HiddenServiceRejectIntroMinutes NUM
Default: 10 (as in 10 minutes)
If HiddenServiceRejectIntro is enabled AND either RejectIntroIf returns BAD flag, drop (no response, ignore completely) the request from requestor(remember this attacker for 24 hours) for {HiddenServiceRejectIntroMinutes} minutes.
Please consider this.
Edited by David Goulet