Re: [tor-project] Tor's history of D/DoS attacks; strategy for mitigation

[Mike Perry <mikeperry@xxxxxxxxxxxxxx>]

On 7/19/23 15:43, Cory Francis Myers wrote:
> On Fri, Jul 14, 2023 at 01:32:55AM +0000, Mike Perry wrote:
> > Most the probing attacks against relays that we saw probed for resource
> > exhaustion conditions, which we will address via those conditions
> > themselves. We did get a report of at least one instance of the typical UDP
> > reflection flood against a Tor relay, though. It was quite large, but we
> > only heard this report from one relay operator (and there are several
> > thousand relay operators).
>
> Thanks for clarifying, Mike.  This is the more-generic class of attack
> against which the DOTS standard would be most useful---which means it
> probably won't be, for Tor relays, even apart from your caveat below.
>
>
> > It is unlikely for us to get directly involved in IP address blacklist or IP
> > address reputation games. Tor user experience is significantly degraded by
> > these systems. While we are trying to pitch funding proposals to improve Tor
> > exit IP address reputation, subjecting our user IP addresses to these
> > systems seems anathema and unlikely.
>
> Understood.  Were this method to be effective, would you extend this
> objection even to coordinated *short-term* (requested/cancellable)
> mitigation, in contrast to a cumulative, long-lived reputation scheme?

I think where this is most likely to happen is at ISPs that relay 
operators use, for things like the UDP reflection attacks, rather than
the relays themselves.

David told me the other day that OVH actually stops such attacks against 
his relay every few weeks or so, so they might be more common than I 
realized, but just handled upstream in most cases.

The problem with trying to apply this to Tor itself is that
 a) We need to focus our limited dev resources on addressing existing
    resource exhaustion bottlenecks that have been targeted, rather than
    reporting mechanisms, at least for the short and medium-term.
 b) It is possible for legitimate activity to trip the rate limits that
    we have in place on Tor relays today, occasionally. We do not want
    to broadcast such IP addresses, as they might actually be legitimate
    users.

The cryptographic blinding idea I mentioned below would help with b, 
though. If some mechanism existed such that an IP was not revealed until 
it started tripping the limits of many relays, then this more strongly 
indicates that it is actually an attacker.

There are some ideas in https://www.freehaven.net/anonbib/, if you 
search for Nymble, BLAC, and Blacklisting. It has been a while since 
this literature has been reviewed or updated for ECC even, though, so I 
don't have great recommendations atm :/

> > In general, we vastly prefer cryptographic rate limiting approaches, or
> > deterrents like our pow system[1], over blacklist-based approaches.
> >
> > Now, if there were ideas being kicked around to cryptographically blind this
> > data such that IP addresses were not revealed to anyone until they appear in
> > multiple DoS event logs, that might be of interest.
>
> Interesting!  I will look into this approach as a possible extension of
> the DOTS standard.  Thanks for the suggestion.
>
>
> 	--- cfm.

--
Mike Perry
_______________________________________________
tor-project mailing list
tor-project@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project