[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r9805: Add "sybil-checking.txt" as "109-no-sharing-ips.txt" (in tor/trunk: . doc/spec/proposals)

Author: nickm
Date: 2007-03-12 09:04:20 -0400 (Mon, 12 Mar 2007)
New Revision: 9805

 r12154@catbus:  nickm | 2007-03-11 23:20:58 -0400
 Add "sybil-checking.txt" as "109-no-sharing-ips.txt"

Property changes on: tor/trunk
 svk:merge ticket from /tor/trunk [r12154] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/trunk/doc/spec/proposals/000-index.txt
--- tor/trunk/doc/spec/proposals/000-index.txt	2007-03-12 00:02:18 UTC (rev 9804)
+++ tor/trunk/doc/spec/proposals/000-index.txt	2007-03-12 13:04:20 UTC (rev 9805)
@@ -27,3 +27,4 @@
 106  Checking fewer things during TLS handshakes [CLOSED]
 107  Uptime Sanity Checking [CLOSED]
 108  Base "Stable" Flag on Mean Time Between Failures [OPEN]
+109  No more than one server per IP address [OPEN]
\ No newline at end of file

Added: tor/trunk/doc/spec/proposals/109-no-sharing-ips.txt
--- tor/trunk/doc/spec/proposals/109-no-sharing-ips.txt	2007-03-12 00:02:18 UTC (rev 9804)
+++ tor/trunk/doc/spec/proposals/109-no-sharing-ips.txt	2007-03-12 13:04:20 UTC (rev 9805)
@@ -0,0 +1,77 @@
+Filename: 109-no-sharing-ips.txt
+Title: No more than one server per IP address.
+Author: Kevin Bauer & Damon McCoy
+Created: 9-March-2007
+Status: Open
+  This document describes a solution to a Sybil attack vulnerability in the
+  directory servers. Currently, it is possible for a single IP address to
+  host an arbitrarily high number of Tor routers. We propose that the
+  directory servers limit the number of Tor routers that may be registered at
+  a particular IP address to some small (fixed) number, perhaps just one Tor
+  router per IP address.
+  While Tor never uses more than one server from a given /16 in the same
+  circuit, an attacker with multiple servers in the same place is still
+  dangerous because he can get around the per-server bandwidth cap that is
+  designed to prevent a single server from attracting too much of the overall
+  traffic.
+  Since it is possible for an attacker to register an arbitrarily large
+  number of Tor routers, it is possible for malicious parties to do this to
+  as part of a traffic analysis attack.
+Security implications:
+  This countermeasure will increase the number of IP addresses that an
+  attacker must control in order to carry out traffic analysis.
+  We propose that the directory servers check if an incoming Tor router IP
+  address is already registered under another router. If this is the case,
+  then prevent this router from joining the network.
+  Upon inspection of a directory server, we found that the following IP
+  addresses have more than one Tor router:
+  Scruples     ip68-5-113-81.oc.oc.cox.net     443
+  WiseUp     ip68-5-113-81.oc.oc.cox.net     9001
+  Unnamed     pc01-megabyte-net-arkadiou.megabyte.gr  9001
+  Unnamed     pc01-megabyte-net-arkadiou.megabyte.gr  9001
+  Unnamed     pc01-megabyte-net-arkadiou.megabyte.gr  9001
+  aurel   e180062138.adsl.alicedsl.de     9001
+  sokrates   e180062138.adsl.alicedsl.de     9001
+  moria1    moria.mit.edu   9001
+  peacetime    moria.mit.edu   9100
+  There may exist compatibility issues with this proposed fix.  Reasons why
+  more than one server would share an IP address include:
+  * Testing. moria1, moria2, peacetime, and other morias all run on one
+    computer at MIT, because that way we get testing. Moria1 and moria2 are
+    run by Roger, and peacetime is run by Nick.
+  * NAT. If there are several servers but they port-forward through the same
+    IP address, ... we can hope that the operators coordinate with each
+    other. Also, we should recognize that while they help the network in
+    terms of increased capacity, they don't help as much as they could in
+    terms of location diversity. But our approach so far has been to take
+    what we can get.
+  * People who have more than 1.5MB/s and want to help out more. For
+    example, for a while Tonga was offering 10MB/s and its Tor server
+    would only make use of a bit of it. So Roger suggested that he run
+    two Tor servers, to use more.
+  Roger suggested that instead of capping number of servers per IP to 1, we
+  should cap total declared bandwidth per IP to some N, and total declared
+  servers to some M.  (He suggested N=5MB/s and M=5.)
+  Roger also suggested that rather than not listing servers, we mark them as
+  not Valid.