[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Help setting up tor dos defense
- To: tor-talk@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [tor-talk] Help setting up tor dos defense
- From: s7r <s7r@xxxxxxxxxx>
- Date: Tue, 7 Jan 2020 15:38:46 +0200
- Autocrypt: addr=s7r@xxxxxxxxxx; keydata= mQENBE9BogQBCADazBiEe0PGTgeUJ/JU4BDvdE2ZFD+MUOgf3+n78F6mXTxcLgyiE/3E4rA5 Sy3NzVRjqjzyn/MyDJDbsRpSKT6uVT5thYNyfDNBNqYmqdVS8Gu+H90z78x1WJ+DxVawk4IM mi8jmKcwlz7hOGROsR0+NyWjyghlzNHVgiJkWIvp5AVDg4F6o2oCH/vBbgomu3Ho5r7fiRZg I0uxsMLIkRI8bwB3SlVi3n4a94ZI2R9rXD9KNWzW4OT5LnICW1d/cuktwVBQRxGE6KFtVDzI chjuDWFaT9p6qROqoBRbsGF/mLg/sb26dwRxb7CnxfCWJn10ZGWo8jG6MM/QKEcxSj0JABEB AAG0NHM3ckBza3ktaXAub3JnIChBbm9ueW1pdHkgbWF0dGVycyEpIDxzN3JAc2t5LWlwLm9y Zz6JATgEEwECACIFAk9BogQCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIN/pSyB JlsRbkQH/jfe6F9nbwwFBo2DuNJ+Ci2IpZEco1P6rWh2l3AzG0vOD82nYJ5uFIw+0v615tW8 WWNfeIsrbCRnmOAx8NGkGsk/j+SRJb41pQ79tyxdBg7txcbT9bAdcaImYoBBp+1bnyrAaROB 1wDq0jKX09ofKrrAUWOlddASpIBG5uKMLhHe1X14lmvgGHWDPHKrw4yzBN/nNfXYr+Ayjt9s NM6JETHIgqO6uvchiT20v2/SzD3FlysROkPeoFjGWUwAqH2r7RQyDLF6EoqkrcuwvjFXiOFE nFdNRbHQsKYXPhbk2JUiFQQcdLtJg6iaoRBnhATl4V6soP2EHYn3K1bz+eYL+AS5AQ0ET0Gi BAEIAMO7MGEfdMn72SQAK0m5rcEPj3mtSRRokMHl3YBNjFbj3O4QAwjpKBJ7RuPdF9B9IDAP a7mc+f33mpIgRnxKDwkjswPk74mMQRxe2wgv4AQ7yBICYYK99e6RYP0LC1PDIGXFPLjs0Teu QAxASFvNycC5JSfQUsAI3OTQjaGUaiUfavmJYkn9B6C2ktQgvM7qbxJvLP5X02tgp4G4gNiu 8ZA3aOUdX+8EQwERJZ8CuA/R6/2M2nEO3YRCsxaYSzob7nicjfoPvyvSYu3zXRFj+3uvDOK6 AGNILmftVUoRQ6/WsNaAQX42cDfSNYQ8uZ/zgTGatO3ArNb1uqWbMdbUA5sAEQEAAYkBHwQY AQIACQUCT0GiBAIbDAAKCRCDf6UsgSZbEZjSB/41TviTCxdiS4PLSDrQ3GOmQPpWZRk/O1tv 3y6T9p0XuC/oq6kKfToKuV2/Ok+589rtmrXhjzdk2otDKCRGejJFpVoU/vfR+jokArzpwyPa TWDAhMGmf5wmEAojsiOc9Zgj/CuS5nd/eLFi4QGtbLoDLrTrQSXB4qR0zJFoQfykVaERT2dm UV/D22opJc8jo3UBOBckgGi9jBi/2OvwEiFcZSl1u9Qi4+gbINOObQF5a0h9ReZCT1BUs5FV DSXBBYZTJJ2flnZH69Mb+9KxRMyqjhRzyGDUfY73SYlCpKX9buWMl0CCsDx+GrRVSxvQnA8b aSq1wlfKsJBimGtSAqf8
- Delivered-to: archiver@xxxxxxxx
- Delivery-date: Tue, 07 Jan 2020 18:37:22 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1578404338; bh=3HE8rRuxuuzc6/rn35+xUYDf46GRBypm6ABBjDNGauk=; h=Reply-To:Subject:To:References:From:Date:In-Reply-To; b=EK7sDyNCg6IHvi2ncMDKOUbnbufp3BgbXIZea2u28Yfk/I1mnmL2qnGh3gzt5XApO 2nQX0VRdtcB2q0MWdrp1vJb8Tk/v4PAuqnF1zYP0AZlS+AwZIDladi5CVCUBA0rTzz CBThXfeBfYKiYpwQLufWFZknD6fYHnswFVhbTYGI=
- In-reply-to: <20200106141730.frehe3yyul7xp2qy@raoul>
- List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
- List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
- List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
- List-post: <mailto:tor-talk@lists.torproject.org>
- List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
- List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
- References: <cd4bac867413d16485412c682d51d1a5.squirrel@danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion> <20200106141730.frehe3yyul7xp2qy@raoul>
- Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
- Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1
David Goulet wrote:
> Tor relays supporting the HS DoS defense (intro points) at this point in time
> are not in majority. Basically >= 0.4.2.1-alpha relays do support it which
> currently represents ~36% in bandwidth weight so roughly 1/3 of the network.
>
> If a service enables the defenses (like you did above), it will NOT
> specifically pick intro points supporting the defenses but will normally pick
> intro points as it did before and _if_ they happen to support the HS defenses
> (via protocol version "HSIntro=5"), then they are used. Yes, I agree, not
> ideal but there is a valid reason.
>
> This is in part to prevent partitionning onion services using the HS defenses
> to a specific set of relays (those who support it). Bottom line is: if the set
> of relays that can only be used by an onion service is reduced, attack surface
> gets bigger.
>
> As the relay in the network upgrades to latest stables, the network naturally
> move towards supporting these defenses in majority. This is another
> _extremely_ important reason why relay operators should stay up to date with
> their tor application so the network can be more agile in deploying defenses
> and improvements.
>
Sure - the best move to prevent onion services partitioning using this
HS defense. However, there is something unclear I'd like to understand.
From the manual:
**HiddenServiceEnableIntroDoSDefense** **0**|**1**::
Enable DoS defense at the intropoint level. When this is enabled, the
rate and burst parameter (see below) will be sent to the intro point
which will then use them to apply rate limiting for introduction request
to this service.
The introduction point honors the consensus parameters except if this is
specifically set by the service operator using this option. The service
never looks at the consensus parameters in order to enable or disable
this defense. (Default: 0)
So the service hosting the HS does not look at this consensus param.
Right now e do not have a consensus param for this at all, but what
will happen if the directory authorities will vote this consensus param
as HiddenServiceEnableIntroDoSDefense 1? In this case, the introduction
points will see that, and use the default values of 25 introductions per
second with a burst of 200 / sec. In this case, if a HS operator wants
to _disable_ this protection totally, he should set
HiddenServiceEnableIntroDoSRatePerSec 0 which according to the manual:
"If this option is 0, it is considered infinite and thus if
**HiddenServiceEnableIntroDoSDefense** is set, it then effectively
disables the defenses."?
Or should he just set HiddenServiceEnableIntroDoSDefense 0, which is
already 0 by default for _services_? (this is the confusing part).
Attachment:
signature.asc
Description: OpenPGP digital signature
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk