[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Onion Service - Intropoint DoS Defenses



Hello, can someone answer some questions I have about how this attacks work?

As far as I understand INTRODUCE2 cells are sent by Introduction Points directly to the Hidden Service. But this only happens after a Client sends the INTRODUCE1 cell to the Introduction Point.

Now the question is, do we allow more than 1 INTRODUCE1 per client circuit? If this is right, why? Or the attack is working because the client makes a new circuit/connection to the I.P. each time for sending a INTRODUCE1?

On 31/5/19 14:21, David Goulet wrote:
On 31 May (00:46:56), teor wrote:
Hi,

On 30 May 2019, at 23:49, David Goulet <dgoulet@xxxxxxxxxxxxxx> wrote:

Over the normal 3 intro points a service has, it means 150 introduction
per-second are allowed with a burst of 600 in total. Or in other words, 150
clients can reach the service every second up to a burst of 600 at once. This
probably will ring alarms bell for very popular services that probably gets
1000+ users a second so please check next section.
Do we know how many introduce cells are sent to popular services?

How can the operators of these services find out their current introduce rate?
Yes good point.

The only thing we have available is the heartbeat that should read like so:

  log_notice(LD_HEARTBEAT,
             "Our onion service%s received %u v2 and %u v3 INTRODUCE2 cells "
             "and attempted to launch %d rendezvous circuits.",
             num_services == 1 ? "" : "s",
             hs_stats_get_n_introduce2_v2_cells(),
             hs_stats_get_n_introduce2_v3_cells(),
             hs_stats_get_n_rendezvous_launches());

Those counters don't get reset so to get the rate one need to compare between
two heartbeats (default is every 6h).

Thus, if any big popular service out there (no need to give the .onion) can
tell us the rate they see, it would be grand!

Thanks!
David


_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev