[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop

Subject: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sat, 22 Feb 2014 06:00:22 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sat, 22 Feb 2014 01:00:33 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#11015: UniformDH should not block the main event loop
-----------------------------------------------+---------------------
 Reporter:  yawning                            |          Owner:  asn
     Type:  defect                             |         Status:  new
 Priority:  normal                             |      Milestone:
Component:  Obfsproxy                          |        Version:
 Keywords:  python, UniformDH, cpu exhaustion  |  Actual Points:
Parent ID:                                     |         Points:
-----------------------------------------------+---------------------
 This isn't as big of a deal when gmpy is installed, but depending on how
 determined the adversary is, it still might be a problem.

 I got curious I went and benchmarked the obfsproxy UniformDH
 implementation.  On the test machine I used (i5-3320M), the generate +
 exchange takes ~24 - 25 msec (With gmpy it takes ~3.8 msec).

 Since the obfsproxy code does the key exchange in the main event loop,
 this means that on each incoming connection, the server will spend that
 much time doing the modular exponentiation and nothing else (To be
 pedantic for the obfs3 transport the attacker needs to only open a ton of
 TCP connections, even without sending anything to be successful).

 Things that should be done:
  * Use twisted.internet.threads.deferToThread to do the modular
 exponentiation in a thread pool, leaving the main event loop free to
 process other connections.
  * Rate limit the number of incoming connections processed per interval to
 something sane.  Also strongly consider rate limiting by source IP, so
 that an adversary at least has to get a bot net.
  * modexp.powMod should also support using gmpy2 (Different import).  Per
 the authors "gmpy2 is now the recommended version, especially if you use
 the pre-compiled versions for Windows."
  * I do have a OpenSSL based implementation of the key exchange that is
 similar in performance to the gmpy based code.  I could write a python
 module for it.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11015>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
  - From: Tor Bug Tracker & Wiki

Prev by Author: [tor-bugs] #11014 [Tor bundles/installation]: "Start Tor Browser.exe" from another directory fails to start Tor Launcher, gives Mozilla branding
Next by Author: Re: [tor-bugs] #11014 [Tor bundles/installation]: "Start Tor Browser.exe" from another directory fails to start Tor Launcher, gives Mozilla branding
Previous by thread: Re: [tor-bugs] #11014 [Tor bundles/installation]: "Start Tor Browser.exe" from another directory fails to start Tor Launcher, gives Mozilla branding
Next by thread: Re: [tor-bugs] #11015 [Obfsproxy]: UniformDH should not block the main event loop
Index(es):
- Author
- Thread