[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #33666 [Circumvention/Snowflake]: Investigate Snowflake proxy failures
#33666: Investigate Snowflake proxy failures
-------------------------------------+------------------------------
Reporter: cohosh | Owner: (none)
Type: defect | Status: needs_review
Priority: High | Milestone:
Component: Circumvention/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: #19001 | Points:
Reviewer: | Sponsor:
-------------------------------------+------------------------------
Comment (by cohosh):
Replying to [comment:9 dcf]:
> Replying to [comment:5 cohosh]:
> > 1. log debug information and encourage the owner through the UI to
file a Tor ticket with the log messages so we can figure out what's going
on,
> > 2. keep track of how many times this happens, and if it always happens
(the proxy sees no successful connections) disable the proxy and print out
some debug messages,
> > 3. do a probe test only when the datachannel fails to open to check
whether the proxy can open a datachannel with the probe point.
>
> My opinion on this is that (2) is a reasonable idea. (I said (3) in the
meeting today but I meant (2).)
>
> It does open a new DoS vector: a malicious client can fail all its
DataChannels and cause proxies to think they are unreliable.
>
> comment:8 shows that failure rate may be as much a function of the
client as of the proxy. Maybe this is a mutally incompatible NAT
situation? The symptoms you mention in comment:2 match that. It's possible
that both peers are sending binding requests to each other, but neither
are making it all the way to the other side.
Huh. This is a really good find. I was doing my tests on a VPS and my
failure rate matches what your VPS failure rate was. I had no idea the NAT
topologies of the client and proxy should have anything to do with each
other.
Now I'm interested in whether the proxies that fail for a VPS are a subset
of the proxies that fail for the home setup. If that's true, then I still
think we should move forward with some variation of option (2). If not,
then it doesn't seem to be the fault of the proxies and disabling them
completely just because they get a lot of home connections might not be
the right way to go. Although that is the typical use case. Of course the
best thing to do is further track down what's happening here and find a
way to make these proxies useful to more clients.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33666#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs