[tor-project] Tor's history of D/DoS attacks; strategy for mitigation

Fri Jul 14 01:32:55 UTC 2023

On 7/13/23 20:23, Cory Francis Myers wrote:
> On 2023-07-05 12:50, Mike Perry wrote:
>> The most common attack has been either onion service related, or
>> against the directory authorities. However, over the past year, we saw
>> several attack attempts that appeared to target specific relays. This
>> was a new phenomenon, at this scale.
>>
>> […]
>>
>> Since the majority of DDoS activity has been onion service related, we
>> expect [the proof-of-work] defense to act as a deterrent there, for
>> most
>> of the issues we have seen.
>>
>> […]
>>
>> We recently obtained funding to fix these kinds of specific attacks
>> against Guards, dirauths, and Exits, but many issues will remain
>> confidential until we do so. We do not want to advertise which of
>> these probing attacks were actually effective vs not, or why.
> 
> Thanks very much for this summary, Mike.  It sounds like there is a
> clear division between (a) attacks targeting onion services, to be
> mitigated by the proof-of-work defense; and (b) attacks with a clearnet
> source or target, to be mitigated by this new work in progress.

I would separate the two parts of (b). Each will have different 
solutions, from our point of view.

Addressing attacks coming from Tor exits remains unfunded.

Addressing attacks against Tor relays is funded.

Most the probing attacks against relays that we saw probed for resource 
exhaustion conditions, which we will address via those conditions 
themselves. We did get a report of at least one instance of the typical 
UDP reflection flood against a Tor relay, though. It was quite large, 
but we only heard this report from one relay operator (and there are 
several thousand relay operators).

> For the latter, could there be value in a mechanism that allows nodes
> (especially relays) to coordinate either local or upstream blocking of
> traffic from D/DoS sources?  This is the potential application I’m
> investigating of the IETF DOTS standard.  But it may be an approach
> you’ve either already selected or ruled out.

"It depends".

It is unlikely for us to get directly involved in IP address blacklist 
or IP address reputation games. Tor user experience is significantly 
degraded by these systems. While we are trying to pitch funding 
proposals to improve Tor exit IP address reputation, subjecting our user 
IP addresses to these systems seems anathema and unlikely.

In general, we vastly prefer cryptographic rate limiting approaches, or 
deterrents like our pow system[1], over blacklist-based approaches.

Now, if there were ideas being kicked around to cryptographically blind 
this data such that IP addresses were not revealed to anyone until they 
appear in multiple DoS event logs, that might be of interest.

1. 
https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/327-pow-over-intro.txt

-- 
Mike Perry