[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Filtering out attacks?

On Mon, May 16, 2005 at 11:33:49AM -0400, Jonathan D. Proulx wrote:
> On the policy level I can't really determine a flow as multiple
> originators can be coming in from the same middle hop to the same
> popular site, so what is a reasonable limit on the number of syn's to
> allow per unit time?
> I guess the bigger policy question is does filtering of this sort (and
> posibly scan blocking as well) fit with TOR philosophically?

I've been thinking about this periodically. My current thought is that
we should implement some basic resource limits for technical reasons --
the previous instance of this was when somebody was hitting google a lot
via Tor, and google's DoS detectors were triggering. The Tor server could
detect this and preemptively avoid it. There are a couple advantages here:

1) The exit node *can* tell if two flows are from the same circuit. So
we could have a per-circuit limit, and also maybe an overall limit,
on the number of connections to a given IP per second.

2) When the exit node decides it can't handle a given request, it can send
back a "resource limit exceeded" reason for failing, and the client can
automatically give it a go from a different exit node. This is already
done in the case of running out of file descriptors, etc. (Actually,
I'm not sure if this is the right thing to do here. If in fact the user
is sending out way too many requests, shouldn't we cut him off rather
than spreading the pain through the rest of Tor? Perhaps the per-circuit
limit will send back an "it failed" reason, but the overall limit would
send back "resource limit exceeded".)

I am wary of going too far down this path, of course, because at some
point we're making judgments about whether to allow certain content,
and things just turn bad from there.