[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Mixed pages - serious bug of tor



On Thu, Jul 17, 2008 at 02:30:25AM +0200, slush wrote:
> I tried to repeat this bug (really sorry for all relays operators).
> I found that this part of python code breaks connection of standalone
> browser.

It looks like you have DoSed some of the faster Tor relays out there,
and then Tor stopped working as well for you. Perhaps these were your
entry guards, so you were particularly strongly affected?

But more broadly, yes, the capacity of the Tor network, while huge, is
still small compared to all the people out there who might want to use it.

And you can do a CPU denial of service too, not just a bandwidth denial
of service, as you say.

Part of the challenge here is that we've built an anonymity system,
and that means it's hard for a relay to distinguish between 500 users
each building a circuit, and one guy named Marek building 500 circuits.

I guess we can put some checks for this particular attack in, for example
by rate limiting the number of create attempts from a Tor not listed
in the directory. But I fear that stopping all DoS avenues is a losing
proposition. It's hard enough to build a system that handles many users
well even when they are all playing nice.

Suggestions?

> In many cases, refreshing page after script finished leads to corrupted
> pages.

This sounds like a separate bug. Are you using Privoxy or Polipo? Which
version of Torbutton? More details about what "corrupted" means?

Thanks,
--Roger