Re: [tor-relays] botnet? abusing/attacking guard nodes

Subject: Re: [tor-relays] botnet? abusing/attacking guard nodes

Date: Tue, 19 Dec 2017 11:13:49 +1100

Delivery-date: Mon, 18 Dec 2017 19:14:13 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:content-transfer-encoding:mime-version:date:subject:message-id :references:in-reply-to:to; bh=d8mt/AId0lvFEmGT+NECJ3XBFH4U1gC3jiPCkFSsOBU=; b=RembQVcL5N3zoHC2QpVnPQ8Jw45ZnxeRizBE3/HsS1x6H1UsvG68hZUpWEzeGGcg7H 7TmDnhUnGpZWv3zTSwgmTGCnIlo45b4p8bjvnTtazYeaZ5NxcA03nf/bPxb+VydagdBH FGtus3tAjg2ygS+Zezkrn6IZQzLDsx32MlQ1j1kEzkKkATiH8QIhFjc55tHlptU0isXF +RxePyvHgAc6dORnboQ6o29gr9uEw6xA4VuLVEJk5YaU5N0hJlyo6tRQZ4c0e0iv45G7 oHM3TVW1KRebPeOK0a9Cj+67P0kz4WHtFj3DcuvUi5eQJY4xJGhxZfbH5qnf1salJXt4 vYRg==

In-reply-to: <CAD4+ng92zcTrfbRKsWQSNvL3GF7b9EmnNAzdrnk8Q7L2c=pUEg@mail.gmail.com>

List-archive: <http://lists.torproject.org/pipermail/tor-relays/>

List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>

List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>

List-post: <mailto:tor-relays@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>

References: <6.2.5.6.2.20171217094307.046a6cf0@example.org> <em52a06307-13e8-4df7-9678-e49ccf1e586e@mats-win7> <07E9864C-9141-4FC3-B3BE-687006C55BEE@gmail.com> <eb5eb109-c2f4-b0d9-f71d-d6c884330958@gmx.de> <362153A7-E3AA-43DD-B4DE-74A3D14633F0@gmail.com> <CAD4+ng92zcTrfbRKsWQSNvL3GF7b9EmnNAzdrnk8Q7L2c=pUEg@mail.gmail.com>

Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On 19 Dec 2017, at 10:10, r1610091651 <r1610091651@xxxxxxxxxx> wrote:

I don't quite understand the last calculation.

It's a slightly better approximation that my wild guess.

"if all 65535 connections on an IP were open" => I'm guessing you mean ports

No, I mean:

"let's use 65535 as the approximate limit on connections from behind a NAT,

even though it could be larger or smaller depending on the bandwidth and

RAM available to the NAT"

The technical limit is the number of unique (source IP, source port,

destination IP, destination port) tuples, or 65535 per source IP to every

unique Tor ORPort. But that's hardly ever reached.

"the biggest Tor Guard has 0.91% Guard probability" => percentage of all entries into the network handled by this guard

=> 0.91% of all user connections
but how many user connections are there at a time?

Let's assume there are at most 65535 connections at once time from every

source IP into the Tor network.

and then don't understand how probability and ports availability can be combined?

If there are 65535 connections open from a source IP, and they all go to

Tor Guards, and the clients weight connections according to Guard

probability, then the largest guard will have 0.91% of 65535 connections,

or approximately 597.

Most guards would see 10-200 connections per IP.

On Mon, 18 Dec 2017 at 23:11 teor <teor2345@xxxxxxxxx> wrote:

> On 19 Dec 2017, at 08:38, Toralf Förster <toralf.foerster@xxxxxx> wrote:
>
> On 12/17/2017 10:24 PM, teor wrote:
>> Using 256 per IP is probably reasonable.
>
> Is this a rather arbitrary limit or does this limit fit the use of NATed addresses entirely ?

That's an arbitrary safe upper bound.

The number of active connections that can be NATed per IP address is
limited by the number of ports: 65535. (Technically, it's 65535 per
remote IP address and port, but most NATs don't have that much RAM
or bandwidth.)

Also, genuine users behind a NAT would likely have multiple Tor and
non-Tor connections open. And spare ports are needed for NAT to manage
port churn and the TCP delay wait state on connection close.

To be more precise:
* if all 65535 connections on an IP were open to the Tor network, and
* the biggest Tor Guard has 0.91% Guard probability[0], then
* it would expect to see 597 connections.

Feel free to do the sums for your own guard's probability.

(We are aware of the issue, and we are working on a more permanent fix.)

[0]: https://atlas.torproject.org/#details/9844B981A80B3E4B50897098E2D65167E6AEF127

T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org
------------------------------------------------------------------------

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays