[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #27841 [Core Tor/Tor]: Surprise race: Intro point closes circuit after NACK, at the same time as client tries to extend circuit to new intro point

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #27841 [Core Tor/Tor]: Surprise race: Intro point closes circuit after NACK, at the same time as client tries to extend circuit to new intro point
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 28 Aug 2019 15:45:20 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 28 Aug 2019 11:45:32 -0400
In-reply-to: <043.1bd899ac60bfa99fbb805b77237b99f4@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.1bd899ac60bfa99fbb805b77237b99f4@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#27841: Surprise race: Intro point closes circuit after NACK, at the same time as
client tries to extend circuit to new intro point
-------------------------------------------------+-------------------------
 Reporter:  asn                                  |          Owner:  neel
     Type:  defect                               |         Status:
                                                 |  reopened
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.3.5.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-hs dos 035-backport              |  Actual Points:
  040-backport 041-backport                      |
Parent ID:                                       |         Points:
 Reviewer:  dgoulet                              |        Sponsor:
                                                 |  Sponsor27
-------------------------------------------------+-------------------------
Changes (by dgoulet):

 * status:  closed => reopened
 * keywords:  tor-hs dos => tor-hs dos 035-backport 040-backport
               041-backport
 * resolution:  fixed =>


Comment:

 I would like us to strongly reconsider the backport this back down to 035.
 Reason is that it is really badly affecting tor clients and thus HS
 reachability. Here is how/why:

 (The following considers that every time the client reaches the intro
 point, it gets NACKed because it has the old descriptor.)

 1. The obvious issue is that tor clients gets the intro circuit destroyed
 while it is trying to re-extend to a new IP. This itself, requires the
 client to do many round trips before noticing and then re-opening a new
 circuit to see the same again until all 3 IP have failed.

 2. This one is a more serious issue.

  I've experienced during my testing a client looping over all IPs trying
 to establish an intro point but instead getting its circuit `TRUNCATED`
 for internal reason just _after_ sending the `INTRODUCE1` cell. This is
 not seen as an "intro failure" by the client so the intro point will be
 retried.

  However, how can we get a `TRUNCATED` _before_ the `INTRODUCE_ACK` nack-
 ing our request? This behavior I've seen a lot where a client can make
 20-30 tries before it finally gets a NACK.

  The reason I believe is in our cell scheduler: When selecting an active
 channel, we ask the cmux subsystem to give the first active circuit queue,
 this is done in `circuitmux_get_first_active_circuit()`. But, we alternate
 between `DESTROY` cell queue and the RELAY cell queue.

  When the intro point sends a NACK, it first queues the `INTRODUCE_ACK`
 cell and then, because of this bug still everywhere in the network, it
 queues a `DESTROY` just after. Then our scheduler, at that point in time,
 decides to send the `DESTROY` _before_ the ack resulting in our client
 receiving a truncated cell, not noticing the NACK and thus retrying the
 same intro point after.

  If no `DESTROY` cells were sent on the channel cmux yet, then it is
 prioritized from the relay cell. So, it is not actually 1/2 chance of
 hitting this, I believe it is much high probability to hit the issue I
 just described especially on smaller relays.

 Considering the above, I'm strongly asking for 035, 040 and 041 backport.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27841#comment:26>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #26847 [Applications/Tor Browser]: Tor Browser 8.0, noscript pops up a full-browser-size window to warn me about x-site scripting
Next by Author: Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
Previous by thread: Re: [tor-bugs] #30080 [Webpages/Support]: support portal: keep anchor when changing language
Next by thread: Re: [tor-bugs] #27841 [Core Tor/Tor]: Surprise race: Intro point closes circuit after NACK, at the same time as client tries to extend circuit to new intro point
Index(es):
- Author
- Thread