On Thu, Mar 27, 2014 at 7:35 AM, Harry SeventyOne <
harry71@xxxxx> wrote:
> Hi,
>
> I've written this (ugly, unconfigurable) patch for Tor which is designed to
> allow hidden services more information about their users, by giving each
> inbound circuit its own temporary "IP address" in the 127.x range. This
> technique works on Linux (I've not tried it on anything else) and allows the
> application server to do some useful things which were previously difficult:
>
> * Identify TCP connections coming from the same client, in a short space of
> time, for example, for diagnostic log analysis, identifying traffic trends
> * Rate-limit operations coming from the same client, to defend against some
> types of DoS attacks
> * Temporarily block abusive clients (at least, until they make a new Tor
> circuit)
>
> More importantly, it can do this with an unmodified application-server (e.g.
> web servers typically have these features built-in) because it effectively
> "spoofs" the client ID as an ip-address, in the 127.x range.
>
> The patch is currently not configurable (the feature can't be turned off).
> It only works with hidden services which are routed to "localhost".
>
> Request for comments. What do you think?
Hi, Harry!
I like the idea of this feature, though really only the first
application makes sense to me. (The other two seem like they'd just
move DoS from one part of the protocol stack to another.) Are there
other applications here, or ?