[Relay operators] Recommend DDoS firewall rules for operators
Based on recent discussions (tpo/community/support#40093 and https://www.petsymposium.org/foci/2024/foci-2024-0014.php), we should provide some docs for relay operators on implementing firewall rules to protect against DDoS attacks.
Before the traffic limiting section (number 6): https://community.torproject.org/relay/setup/post-install/
Add firewall rules to protect against DDoS attacks
Configuring your firewall to stop too many concurrent connections has been shown to significantly help deal with DDoS attacks against relays.
Consider implementing one of the following mechanisms:
- https://github.com/toralf/torutils if you would like a script to deploy
- https://github.com/Enkidu-6/tor-ddos a simple set of scripts to deploy
- https://github.com/steinex/tor-ddos if you would like a more
simpler approach without scripts and ipset
**Note:** these are community provided resources, you should check them carefully before applying them to your system.
Additionally, be aware that these rules have been shown to work for particular attacks that have happened in the past.
Attacks are constantly evolving and will often need new rules, so please stay connected to update these as necessary, either by subscribing to the relevant project and subscribing to tor-relays.