[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor] 39/77: manpage: document HiddenServicePoWDefensesEnabled option

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor] 39/77: manpage: document HiddenServicePoWDefensesEnabled option
From: gitolite role via tor-commits <tor-commits@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 10 May 2023 15:47:23 +0000
Auto-submitted: auto-generated
Cc: gitolite role <git@xxxxxxxxxxxxxxxxxxxxx>
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 10 May 2023 11:48:13 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=lists.torproject.org; s=2022-eugeni; t=1683733689; bh=8YbwNwH/i38cRyeOS0S37Rz2JM/qbd5nswdj++0zzt8=; h=Date:To:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=PcYqFIQtaAnTlsT7/FKEZGc94QEwiXMJ8mfYUYwXzN5zNp1/Pb+M7RykxTT20dK+g Ulj6rnkLggnCOVvVSs7qii1/qL4o55DM2J/NwfVQ6q8SQF8aAXZ6iqZKwBqXgtf84f nDrz95HtQqcJl8k4RkZ7iprjUBCsvsy9FZpzwWYCLRPzo8vhNtEmUxrnWgaQHEslCN sntF/RFN6O+4lF1NDGuPQkCs7mT0EHEmKSrMKIbGQssyMWTjE+v2fsPTGM92YieBtH IZHLtu+QOMXvfmwvuToDZvryL6fQb4RAqxcQH6ltskLJK1n5imwcPn7LPTy0wva6Jg oFWH4V2NMbR9g==
In-reply-to: <168373360469.13998.2199490141248939962@cupani.torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
References: <168373360469.13998.2199490141248939962@cupani.torproject.org>
Reply-to: Micah Elizabeth Scott <beth@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>
Thread-index: AQAAEjRW18IRXHA5SYObXiIb5OXYBQ==

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main
in repository tor.

commit 98299e0f8b872825cffa5afd007ee7fd5fd2a39a
Author: Micah Elizabeth Scott <beth@xxxxxxxxxxxxxx>
AuthorDate: Mon Feb 27 15:36:22 2023 -0800

    manpage: document HiddenServicePoWDefensesEnabled option
    
    Signed-off-by: Micah Elizabeth Scott <beth@xxxxxxxxxxxxxx>
---
 doc/man/tor.1.txt | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt
index 57992cd8d2..a62c7c7d82 100644
--- a/doc/man/tor.1.txt
+++ b/doc/man/tor.1.txt
@@ -3021,14 +3021,14 @@ Denial of Service mitigation subsystem described above.
     (Default: auto)
 
 
-As for onion services, only one possible mitigation exists. It was intended to
-protect the network first and thus do not help the service availability or
-reachability.
+For onion services, mitigations are a work in progress and multiple options
+are currently available.
 
-The mitigation we put in place is a rate limit of the amount of introduction
-that happens at the introduction point for a service. In other words, it rates
-limit the number of clients that are attempting to reach the service at the
-introduction point instead of at the service itself.
+The introduction point defense is a rate limit on the number of introduction
+requests that will be forwarded to a service by each of its honest
+introduction point routers. This can prevent some types of overwhelming floods
+from reaching the service, but it will also prevent legitimate clients from
+establishing new connections.
 
 The following options are per onion service:
 
@@ -3082,6 +3082,23 @@ The bottom line is that this protects the network by preventing an onion
 service to flood the network with new rendezvous circuits that is reducing load
 on the network.
 
+A secondary mitigation is available, based on prioritized dispatch of rendezvous
+circuits for new connections. The queue is ordered based on effort a client
+chooses to spend at computing a proof-of-work function.
+
+The following options are per onion service:
+
+[[HiddenServicePoWDefensesEnabled]] **HiddenServicePoWDefensesEnabled** **0**|**1**::
+
+    Enable proof-of-work based service DoS mitigation. If set to 1 (enabled),
+    tor will include parameters for an optional client puzzle in the encrypted
+    portion of this hidden service's descriptor. Incoming rendezvous requests
+    will be prioritized based on the amount of effort a client chooses to make
+    when computing a solution to the puzzle. The service will periodically update
+    a suggested amount of effort, based on attack load, and disable the puzzle
+    entirely when the service is not overloaded.
+    (Default: 0)
+
 
 == DIRECTORY AUTHORITY SERVER OPTIONS
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

References:
- [tor-commits] [tor] branch main updated (9ee71eaf5a -> e643a70879)
  - From: gitolite role via tor-commits

Prev by Author: [tor-commits] [tor] 02/04: Merge branch 'tor-gitlab/mr/714' into maint-0.4.7
Next by Author: [tor-commits] [tor] 65/77: hs_pow: bump client-side effort limit from 500 to 10000
Previous by thread: [tor-commits] [tor] 37/77: hs_metrics: Proof of Work pqueue depth, suggested effort
Next by thread: [tor-commits] [tor] 35/77: compute the client-side pow in a cpuworker thread
Index(es):
- Author
- Thread