[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Constraining Ephemeral Service Creation in Tor



On 2016-09-29 08:38, teor wrote:
On 28 Sep 2016, at 07:59, bancfc@xxxxxxxxxxxxxxx wrote:

Hello, We are working on supporting ephemeral onion services in Whonix and one of the concerns brought up is how an attacker can potentially exhaust resources like RAM. CPU, entropy... on the Gateway (or system in the case of TAILS) by requesting an arbitrary number of services and ports to be created.

In our opinion, options in core Tor for setting a maximum number of services and ports per service seems the right way to go about it. Also rate limiting the requests (like you do with NEWNYM) would be a sensible thing to do.

What are your opinions about this?

I think this would be much better implemented in a control port filter.
There are several existing control port filters.
Do they have this feature?

None of them do.


Alternately, you should limit resources to the tor process using OS
facilities. If you set an open file limit, this will constrain the
number of hidden services.
If it doesn't, or tor behaves badly when adding a hidden service with
few file descriptors, file a bug against tor.

Thanks for the tip.


T

--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
xmpp: teor at torproject dot org








_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev