“EndGame” DDoS Protection Toolset

A DDoS protection framework that cobbles many projects together. It’s from sketchy origins, but we only care about the code. Licensing is free for all, but not specified in a dedicated file. No one has audited the install scripts for safety yet, so we cannot include or recommend it to our users. It’s more practical to see how many pieces could be borrowed from and spun as simple config files for each of these projects separately so they can kick in whenever they’re installed.

Which “EndGame” features are missing feature requests tickets at Whonix?

Selection of what’s needed next to improve Whonix onion services support:

  • onionbalance: needs conceptual proposals, see OnionBalance help - #7 by Patrick → ---- EDIT: https://www.whonix.org/wiki/Onion_Services#OnionBalance
  • Onion Services - Whonix mentions a few ideas but …
    • for example to come up with specific recommendations and documentation for HiddenServiceExportCircuitIDcredible research, authoritative statements or something similar would be required. “EndGame” uses it but without clear rationale which configuration parameters have been chosen why this cannot be moved forward in Whonix either as documentation or otherwise (such as a helper script or pre-configuration).

Which specific features or feature requests are missing in Whonix?

  • Fully scripted and easily deploy-able (for mass scaling!) on blank Debian 10 systems.

Doesn’t easily translate to Whonix. Mass scaling where? On VPS or dedicated servers? On VPS: hard since these are virtualized by default it gets cumbersome to run virtualization (Whonix) on top.

  • Full featured NGINX LUA script to filter packets and provide a captcha directly using the NGINX layer.

EndGame/lua/cap.lua at master · onionltd/EndGame · GitHub / EndGame/resty at master · onionltd/EndGame · GitHub is hard to port to Whonix even if it was properly licensed. It would require audit/review from someone who understands lua and nginx. Maybe it was copy/paste from elsewhere? Then it could be sourced from the original source (and perhaps the difference checked). Or could be replaced. Any other (Tor specific) DOS defenses / captcha implementations?

Onion Services - Whonix already mentions a few ideas for DOS defenses.

Could be left as an exercise for the sysadmin / contributions welcome.

  • Easy Configuration for both local and remote (over Tor) front systems.
  • Easily configurable and change-able to meet an onion service’s needs.

Turning Whonix into an uber onion service project is not on my mid term roadmap.

  • Rate limiting via Tor’s V3 onion service circuit ID system with secondary rate limiting based on a testcookie like system.

Mentioned above.

1 Like