[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] DoSer is back, Tor dev's please consider

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] DoSer is back, Tor dev's please consider
From: starlight.2017q4@xxxxxxxxxxx
Date: Fri, 23 Mar 2018 04:02:57 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 23 Mar 2018 04:15:51 -0400
In-reply-to: <6.2.5.6.2.20180322190859.05744d98@example.org>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <6.2.5.6.2.20180322190859.05744d98@example.org>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

At 03:20 3/23/2018 +0000, tor <tor@xxxxxxxxxxxxx> wrote:
>> Suggestion: DoSCircuitCreationMinConnections=1 be established in consensus
>
>The man page for the above option says:
>
>"Minimum threshold of concurrent connections before a client address can be flagged as executing a circuit creation DoS. In other words, once a client address reaches the circuit rate and has a 
>minimum of NUM concurrent connections, a detection is positive. "0" means use the consensus parameter. If not defined in the consensus, the value is 3. (Default: 0)"
[snip]
>
>Am I misunderstanding?

"concurrent connections" refers to concurrent TCP+TLS network layer connections, not to Tor circuits--nominally one-connection-per-peer IP.  It means the excess circuit-extend rate logic does not kick in at all until at least N TCP connections from a particular IP exist.  Once the configured number of TCP connections is present, the circuit extend rate is examined.

An adversary who stays under the configured limit (presently three) can extend circuits at extreme rates on (two) TCP connections.  Adversary must marshal a larger number of IP addresses than previously to obtain the same effect and this raises the cost of attack, but they may still cause significant trouble as my relay's statistics demonstrate.

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] DoSer is back, Tor dev's please consider
  - From: starlight . 2017q4

Prev by Author: Re: [tor-relays] Previous Guard not getting Guard flag back
Next by Author: Re: [tor-relays] Previous Guard not getting Guard flag back
Previous by thread: Re: [tor-relays] DoSer is back, Tor dev's please consider
Next by thread: [tor-relays] My relay lost concensus
Index(es):
- Author
- Thread