[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Tor 0.2.1.12-alpha is out



On Tue, Feb 10, 2009 at 11:34:31AM +0200, Jari Turkia wrote:
> Roger Dingledine wrote:
> >Tor 0.2.1.12-alpha features several more security-related fixes. You
> ...
> >    - Fix a temporary DoS vulnerability that could be performed by
> >      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
> 
> Is there a bug report about excessive log flooding?
> Feb 01 04:02:32.473 [warn] Failing because we have 1016 connections 
> already. Please raise your ulimit -n.
> Feb 01 04:02:32.860 [warn] Failing because we have 1016 connections 
> already. Please raise your ulimit -n.
> Feb 01 04:02:35.847 [notice] accept failed: Too many open files. 
> Dropping incoming connection.
> Feb 01 04:02:35.847 [notice] accept failed: Too many open files. 
> Dropping incoming connection.
> 
> Raising ulimit -n is not an option for all of us. What is needed is a 
> config option to limit number of connections and limit the logging. In a 
> couple of hours there will be 3 gigabytes of log. This makes it possible 
> to DoS a tor-node.

You should set your MaxAdvertisedBandwidth line in your torrc, at a
low enough number that it's advertising a rate that doesn't cause those
log entries.

(If you ignore them, you are denying service to clients who are trying
to use your relay and failing.)

Eventually, you're right, we should design a Tor network and protocol
where each relay doesn't have to reach each other relay. That's harder
than it sounds, though, if you want to keep anonymity and have low
directory overhead too.

Why is raising ulimit -n not an option for you?

--Roger