Re: [tor-bugs] #25226 [Core Tor/Tor]: Circuit cell queue can fill up memory

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#25226: Circuit cell queue can fill up memory
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  dgoulet
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.3.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-cell, tor-relay, tor-dos,        |  Actual Points:
  033-must, review-group-34, security,           |
  033-triage-20180320, 033-included-20180320     |
Parent ID:                                       |         Points:
 Reviewer:  arma                                 |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arma):

 Replying to [comment:21 dgoulet]:
 > As an attempt, see branch: `bug25226_033_01`.
 >
 > I think we still need to figure out possibly a better default value or
 at the very least a consensus parameter that makes sense.

 Big picture review: I think we should proceed with doing this feature,
 even though we can't really pick a low threshold yet.

 I see three benefits for putting this feature in:

 * We should pick a really high threshold for the consensus, like 50000
 cells or 100000 cells, which is essentially at the "oom attempt" level,
 and now we're killing circuits when they overload us a lot, without
 needing to wait until we're actually running out of memory, and without
 needing to have our reaction be a function of how much memory the relay
 has.

   I was originally going to say "I don't think there's any number where we
 should set this in the consensus right now on the main Tor network," but I
 think at the 50k or 100k cell mark, even if somebody is following the
 protocol, we could still kill the circuit "because fairness".

 * If things go to shit in the future and people start doing bad things to
 the network that we're not expecting right now, then this would be another
 available tool for letting relays defend themselves. Shipping it out now
 will mean it's in place if we decide we need it.

 * The test networks, where they know the client and website traffic
 behaviors, can set it to a much lower value, and use it for debugging when
 they hit the threshold.

 For that last one, there are really two things we want to understand here.
 First, what are the limits on acceptable behavior by "honest" users? That
 is, what is the threshold above which we say "no honest user would attempt
 that". And second, are there bugs or surprises in our current design that
 cause us to hit a higher threshold than we meant to? And it's that second
 one that a good network testing harness, plus this ticket, can discover.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25226#comment:27>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs