[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Uptime Sanity Checking

To: or-dev@xxxxxxxx
Subject: Uptime Sanity Checking
From: Damon Liwanu Mc Coy <Damon.Mccoy@xxxxxxxxxxxx>
Date: Thu, 8 Mar 2007 15:39:59 -0700 (MST)
Delivered-to: archiver@seul.org
Delivered-to: or-dev-outgoing@seul.org
Delivered-to: or-dev@seul.org
Delivery-date: Thu, 08 Mar 2007 17:40:16 -0500
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx

Filename: uptime_sanity_checking.txt
Title: Uptime Sanity Checking
Version:
Last-Modified:
Author: Kevin Buaer & Damon McCoy
Created: 8-March-2007
Status: Open

Overview:

   This document describes how to cap the uptime that
   is used when computing which routers are maked as stable   
   such that highly stable routers cannot be displaced by
   malicious routers that report extremely high uptime 
   values.

   This is similar to how bandwidth is capped at 1.5MB/s.

Motivation:

   It has been pointed out that an attacker can
   displace all stable nodes and entry guard nodes by
   reporting high uptimes. This is an easy fix that
   will prevent highly stable nodes from being
   displaced.

Security implications:

   It should decrease the effectiveness of routing
   attacks that report high uptimes while not impacting
   the normal routing algorithms.

Specification:

   We propose that uptime be capped at two months.
   Currently there are approximetly 50 nodes with this
   amount of uptime, and the average uptime is around 9
   days. This cap would prevent these 50 nodes from
   being displaced by an attacker.

Compatibility:

   There should be no compatiblity issues due to uptime
   capping.

Implementation:

   #define MAX_BELIEVABLE_UPTIME 60*24*60*60
  dirserv.c
  1448: *up = (uint32_t) real_uptime(ri, now);
        if(*up > MAX_BELIEVABLE_UPTIME) {
          *up = MAX_BELIEVABLE_UPTIME;
        }

Filename: uptime_sanity_checking.txt
Title: Uptime Sanity Checking
Version:
Last-Modified:
Author: Kevin Buaer & Damon McCoy
Created: 8-March-2007
Status: Open

Overview:

   This document describes how to cap the uptime that
   is used when computing which routers are maked as stable   
   such that highly stable routers cannot be displaced by
   malicious routers that report extremely high uptime 
   values.

   This is similar to how bandwidth is capped at 1.5MB/s.

Motivation:

   It has been pointed out that an attacker can
   displace all stable nodes and entry guard nodes by
   reporting high uptimes. This is an easy fix that
   will prevent highly stable nodes from being
   displaced.

Security implications:

   It should decrease the effectiveness of routing
   attacks that report high uptimes while not impacting
   the normal routing algorithms.

Specification:

   We propose that uptime be capped at two months.
   Currently there are approximetly 50 nodes with this
   amount of uptime, and the average uptime is around 9
   days. This cap would prevent these 50 nodes from
   being displaced by an attacker.

Compatibility:

   There should be no compatiblity issues due to uptime
   capping.

Implementation:

   #define MAX_BELIEVABLE_UPTIME 60*24*60*60
  dirserv.c
  1448: *up = (uint32_t) real_uptime(ri, now);
        if(*up > MAX_BELIEVABLE_UPTIME) {
          *up = MAX_BELIEVABLE_UPTIME;
        }

Follow-Ups:
- Re: Uptime Sanity Checking
  - From: Peter Palfrader

Prev by Author: Re: Uptime Sanity Checking
Next by Author: Re: Uptime Sanity Checking
Previous by thread: Reducing indentation of torflow
Next by thread: Re: Uptime Sanity Checking
Index(es):
- Author
- Thread