[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #15516 [Core Tor/Tor]: Consider rate-limiting INTRODUCE2 cells when under load
#15516: Consider rate-limiting INTRODUCE2 cells when under load
-------------------------------------------------+-------------------------
Reporter: special | Owner: dgoulet
Type: enhancement | Status: closed
Priority: Medium | Milestone: Tor:
| unspecified
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-dos, tor-hs, network-team- | implemented
roadmap-july, nickm-merge | Actual Points:
Parent ID: #29999 | Points: 10
Reviewer: asn | Sponsor:
| Sponsor27-must
-------------------------------------------------+-------------------------
Comment (by asn):
Replying to [comment:54 cypherpunks]:
> I have deep concerns about this. It may not help against DoS at all, and
NACKing in reply rather than dropping may make it worse. Although there
are many of of them, the bandwidth consumed by INTRODUCE2 cells is not the
main problem. The best defense in practice would likely be as described in
https://lists.torproject.org/pipermail/tor-dev/2019-May/013849.html, or
that, but modified so it's the service that drops them rather than the
intro point. That would allow current unmodified relays to be used as
intro points.
Hello,
as you say, we doubt that this attack will help restore availability to
DoSed onion services. More about this on this old thread:
https://lists.torproject.org/pipermail/tor-dev/2019-April/013790.html
I also doubt that the NACK will make things worse for the health of the
network since intro points were already sending an ACK anyway. And it will
have no impact on the availability of the service either.
Please see ticket #31223 for approaches that will improve availability of
the service. Personally, while I'm cautiously open to PoW approaches, I
doubt that they will help against a motivated adversary with a couple of
GPUs, except if you also want only GPU clients to be able to visit the
service. People who are experts on PoW have told me that they pretty
inelegant when it comes to DoS resistance. If you feel the opposite feel
free to run the numbers and let us know how it would work. Please use the
mailing list for such discussions.
In any case if you don't believe in this defence you can still disable it
using #30924.
Thanks! :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15516#comment:56>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs