Re: another DirPort DoS attacker

     On Wed, 03 Sep 2008 14:11:36 +0200 Dominik Schaefer <schaedpq2@xxxxxx>
>John Brooks schrieb:
>> This definitely needs some limits added (why would one IP ever need
>> more than a couple directory connections to one location?)

     I have been unable to come up with a reason why any instance of tor
should ever need more than one open connection to the DirPort of another
particular instance of tor.  However, I think it was Roger who stated that
when tor is getting initialized and needs to get a lot of directory data
in a hurry, that it may have many open connections, each requesting a
separate, small portion of the directory.  He didn't say that that was
necessary for any particular reason, IIRC, just that that was how tor
currently worked.
     Frankly, I haven't yet thought of a justification for needing a TCP
connection to a DirPort that is separate from the ORPort, at least not
given the current state of tor.  If one could specify a "DirAddress" distinct
from Address, then it might make sense because then a computer with multiple
interfaces leading to the Internet would be able to separate the server's
relay traffic onto one interface and directory traffic onto another

>NAT - Network Address Translation - comes to mind. It is also possible

     You lost me there.  How would NAT be involved?

>to run multiple Tor instances on one multi-user machine. The requests
>in both cases are completely legitimate, especially in case of
>high-bandwidth mirrors or relays.
>That probably won't produce hundreds of simultaneous connections, but
>be careful with limiting conns/IP.
     I should certainly hope not!  tor is a connection-hungry little
application, but not *that* hungry...at least, I don't think.  ;-)

