[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] cases where relay overload can be a false positive

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] cases where relay overload can be a false positive
From: Mike Perry <mikeperry@xxxxxxxxxxxxxx>
Date: Mon, 7 Feb 2022 19:30:42 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 07 Feb 2022 14:31:00 -0500
In-reply-to: <c0aaa609-eb98-b927-ba05-2541188c69cf@sky-ip.org>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <f330c04c-3e37-a379-f45d-58e0930a0931@sky-ip.org> <iIcOBUSOiO-yu1MjfgiKagKG57I7kMTP6jORHJNi4TLu3DenJnTCutMzTuljQPuZgoMWWouv80ecQIzDsO8RUA==@protonmail.internalid> <20220112173606.ckjd74xqyarmqxz5@raoul> <dacb4d2f-46b1-3111-ccf4-bb30feb737e0@torproject.org> <Oer2QegQUUh0q9bMDIncbMU2hwFNX3Wor87P2NDZlHBM_KlAdOz2qtCzicsGh6h7VwjZsN9u7JUzZ9g03mF_iQ==@protonmail.internalid> <c0aaa609-eb98-b927-ba05-2541188c69cf@sky-ip.org>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.5.1

On 1/23/22 5:28 PM, s7r wrote:

Mike Perry wrote:

We need better DoS defenses generally :/


Of course we need better defense, DoS is never actually fixed, no matter
what we do. It's just an arms race the way I see it.

Well, I am extremely optimistic abouthttps://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/327-pow-over-intro.txt

Despite random internet hate on PoW, in the context of onion service DoS(which is our main cause of overall network DoS and actual overload), itlooks very likely to be an effective option.

Prop325 describes how we can use PoW to build a system that auto-tunesitself such that only circuits with a sufficient level of PoW succeed.This means that we won't use PoW at all, unless it is needed (ie: onlyrequire the level of PoW needed to jump the queue of DoS requests, andadvertise this level in the service descriptor).

In this way, an attack can be made considerably more expensive (and mostimportantly: less profitable) for an attacker, with the only effect thatclients wait a bit longer to connect, to solve the PoW, and only whilean attack is ongoing. If this system is effective enough, DoS-for-ransomattacks should vanish due to low profitability. And because the systemauto-tunes, we should also no longer need PoW at all, after it isdeployed, because of this deterrent effect. Win-win-win.


Jamie Harper did an implementation of this proposal:
https://github.com/jmhrpr/tor-prop-327

David, asn, and I did a prelim code review of that branch, and while itneeds more unit tests, and we need to reduce some of its externaldependencies, it was of surprisingly high code quality. Unfortunately,Jamie graduated and moved on to other things.

But if we reduce the consensus weight or assume at network level thatrelay X should be used less because of a super tiny percent of dropped > circuits we could end up in wasting network resources on one side, and
on the other side, maybe granting better probability chances for evil
relays that we have not discovered yet to grab circuits. A consensusparameter is of course appropriate here, maybe 20% is a big threshold
and should be less, but right now even 0.1% is reported and treated as
overload, IMO this is not acceptable.


I generally agree here. For this, I filed:
https://gitlab.torproject.org/tpo/core/tor/-/issues/40560

An important detail here is that ntor drops *are also* a form of thatsame kind of bias away from attacked relays, and toward evil relays.

If a relay is under such heavy DoS such that it is already dropping X%of ntors, it is *already* being forced to not carry X% of circuits. So,at minimum, it is reasonable to give it X% less traffic. However, thisreduction must also be subject to the limits of not stripping the guardflag away just for overload/DoS, as I mentioned in my previous post.

At any rate, before we even consider using overload-general for relayweighting, we first need to transition the bwauths to use congestioncontrol, and monitor how that system behaves wrt reducing overload,before we also try to add in overload-general. So it will be a while,and we will have time to thing about and analyze this stuff further.


--
Mike Perry
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] snowflake incoming UDP ports
Next by Author: [tor-relays] Introduction message from me :)
Previous by thread: [tor-relays] ExitNodes Directive Evaluated Dynamicly or Bootstrap Only?
Next by thread: [tor-relays] Tor Relay Meetup #Fosdem Notes
Index(es):
- Author
- Thread