[torspec/master] tor-spec: Document DoS mitigation consensus param - tor-commits

3 Mar 2018

commit ed14d85d57cdcf0742040a57e9f0a75f69567482
Author: David Goulet dgoulet@torproject.org
Date:   Tue Feb 13 09:44:07 2018 -0500
tor-spec: Document DoS mitigation consensus param
Closes #25095
Signed-off-by: David Goulet dgoulet@torproject.org
---
 dir-spec.txt | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/dir-spec.txt b/dir-spec.txt
index ece2991..bcfa62c 100644
--- a/dir-spec.txt
+++ b/dir-spec.txt
@@ -1995,6 +1995,47 @@
         Min 1. Max 10. Default 2.
         First-appeared: 0.3.3.0-alpha.
+        Denial of Service mitigation parameters. Introduced in 0.3.3.2-alpha:
+
+         "DoSCircuitCreationEnabled" -- Enable the circuit creation DoS
+         mitigation.
+
+         "DoSCircuitCreationMinConnections" -- Minimum threshold of concurrent
+         connections before a client address can be flagged as executing a
+         circuit creation DoS
+
+         "DoSCircuitCreationRate" -- Allowed circuit creation rate per second
+         per client IP address once the minimum concurrent connection
+         threshold is reached.
+
+         "DoSCircuitCreationBurst" -- The allowed circuit creation burst per
+         client IP address once the minimum concurrent connection threshold is
+         reached.
+
+         "DoSCircuitCreationDefenseType" -- Defense type applied to a detected
+         client address for the circuit creation mitigation.
+
+            1: No defense.
+            2: Refuse circuit creation for the
+               DoSCircuitCreationDefenseTimePeriod period.
+
+         "DoSCircuitCreationDefenseTimePeriod" -- The base time period that
+         the DoS defense is activated for.
+
+         "DoSConnectionEnabled" -- Enable the connection DoS mitigation.
+
+         "DoSConnectionMaxConcurrentCount" -- The maximum threshold of
+         concurrent connection from a client IP address.
+
+         "DoSConnectionDefenseType" -- Defense type applied to a detected
+         client address for the connection mitigation. Possible values are:
+
+            1: No defense.
+            2: Immediately close new connections.
+
+         "DoSRefuseSingleHopClientRendezvous" -- Refuse establishment of
+         rendezvous points for single hop clients.
+
     "shared-rand-previous-value" SP NumReveals SP Value NL
[At most once]

    