commit ed14d85d57cdcf0742040a57e9f0a75f69567482 Author: David Goulet <dgoulet@torproject.org> Date: Tue Feb 13 09:44:07 2018 -0500 tor-spec: Document DoS mitigation consensus param Closes #25095 Signed-off-by: David Goulet <dgoulet@torproject.org> --- dir-spec.txt | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/dir-spec.txt b/dir-spec.txt index ece2991..bcfa62c 100644 --- a/dir-spec.txt +++ b/dir-spec.txt @@ -1995,6 +1995,47 @@ Min 1. Max 10. Default 2. First-appeared: 0.3.3.0-alpha. + Denial of Service mitigation parameters. Introduced in 0.3.3.2-alpha: + + "DoSCircuitCreationEnabled" -- Enable the circuit creation DoS + mitigation. + + "DoSCircuitCreationMinConnections" -- Minimum threshold of concurrent + connections before a client address can be flagged as executing a + circuit creation DoS + + "DoSCircuitCreationRate" -- Allowed circuit creation rate per second + per client IP address once the minimum concurrent connection + threshold is reached. + + "DoSCircuitCreationBurst" -- The allowed circuit creation burst per + client IP address once the minimum concurrent connection threshold is + reached. + + "DoSCircuitCreationDefenseType" -- Defense type applied to a detected + client address for the circuit creation mitigation. + + 1: No defense. + 2: Refuse circuit creation for the + DoSCircuitCreationDefenseTimePeriod period. + + "DoSCircuitCreationDefenseTimePeriod" -- The base time period that + the DoS defense is activated for. + + "DoSConnectionEnabled" -- Enable the connection DoS mitigation. + + "DoSConnectionMaxConcurrentCount" -- The maximum threshold of + concurrent connection from a client IP address. + + "DoSConnectionDefenseType" -- Defense type applied to a detected + client address for the connection mitigation. Possible values are: + + 1: No defense. + 2: Immediately close new connections. + + "DoSRefuseSingleHopClientRendezvous" -- Refuse establishment of + rendezvous points for single hop clients. + "shared-rand-previous-value" SP NumReveals SP Value NL [At most once]