[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Patch: Hidden service: use inbound bind-address based on circuit ID (effectively giving each circuit a temporarily-unique IP address)



H

Mon, 31 Mar 2014 12:38:01 -0400 ÐÑ Nick Mathewson <nickm@xxxxxxxxxxxx>:
On Thu, Mar 27, 2014 at 7:35 AM, Harry SeventyOne <harry71@xxxxx> wrote:
> Hi,
>
> I've written this (ugly, unconfigurable) patch for Tor which is designed to
> allow hidden services more information about their users, by giving each
> inbound circuit its own temporary "IP address" in the 127.x range. This
> technique works on Linux (I've not tried it on anything else) and allows the
> application server to do some useful things which were previously difficult:
>
> * Identify TCP connections coming from the same client, in a short space of
> time, for example, for diagnostic log analysis, identifying traffic trends
> * Rate-limit operations coming from the same client, to defend against some
> types of DoS attacks
> * Temporarily block abusive clients (at least, until they make a new Tor
> circuit)
>
> More importantly, it can do this with an unmodified application-server (e.g.
> web servers typically have these features built-in) because it effectively
> "spoofs" the client ID as an ip-address, in the 127.x range.
>
> The patch is currently not configurable (the feature can't be turned off).
> It only works with hidden services which are routed to "localhost".
>
> Request for comments. What do you think?

Hi, Harry!

I like the idea of this feature, though really only the first
application makes sense to me. (The other two seem like they'd just
move DoS from one part of the protocol stack to another.) Are there
other applications here, or ?
I'm not completely sure what applications exist. My experiments have shown that it's of some value in tracking clients, it certainly makes it easier to interpret web server access-logs.

The DoS angle only works against certain types of DoS, including perhaps some unintended DoS - such as robots or mirroring software which hits the server too fast, and needs to be rate-limited.

I can see that a lot of work would probably be requires to make it work for the trunk of Tor, including the IPv6 work. I'm not completely sure whether I could do that.

I wonder if there is a better proxy for the "client temporary identity" than circuit-id, and where we can get it from (in Tor's internal data-structure)?

Circuit IDs certainly do get reused, but in my experience, not very quickly on low-traffic sites. This makes the logs make more sense, certainly to humans and possibly to log-analysis software.

* It's better to do a patch like this against git master; Tor 0.2.4 is
not going to get any new features.

But for users who want to try out the patch "right now",  possibly on a production server, a patch against the stable release is more useful :)

Thanks for your helpful comments!

Harry
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev