[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #24902 [Core Tor/Tor]: Denial of Service mitigation subsystem



#24902: Denial of Service mitigation subsystem
-----------------------------+------------------------------------
 Reporter:  dgoulet          |          Owner:  dgoulet
     Type:  enhancement      |         Status:  needs_review
 Priority:  Medium           |      Milestone:  Tor: 0.3.3.x-final
Component:  Core Tor/Tor     |        Version:
 Severity:  Normal           |     Resolution:
 Keywords:  ddos, tor-relay  |  Actual Points:
Parent ID:                   |         Points:
 Reviewer:                   |        Sponsor:
-----------------------------+------------------------------------

Comment (by dgoulet):

 Replying to [comment:2 cypherpunks]:
 > This seems like it may highly stress/kill off as well relays with old
 Tor versions when the DDoSers change their guard (due to this patch) and
 it eventually settles at some relay with an old Tor version.

 Yes that is one of the worry I do have. However, this circuit creation
 mitigation defense silently drop cells on a created circuit. In other
 words, clients will open circuits on the Guard and the Guard returns
 CREATED as a response so the client thinks it is valid and thus sends
 bunch of cells that are silently dropped by the Guard at that point.

 I believe this makes the client not switch Guard and just keep sending
 stuff to the void. So the big Guard will soak up the load instead of
 spreading it out.

 Not perfect but a first step towards better defense.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24902#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs