On Sat, Jan 23, 2016 at 11:38:00PM +0200, s7r wrote:
The attacker is also a Sybil (holds an unknown % of the bandwidth in the Tor network). By making the hidden service server build many circuits to his evil rendezvous points, the attacker gets a high probability that the hidden service server will eventually pick his evil relays in a circuit, so the attacker will trivially perform a successful hidden service guard discovery attack or, with more luck, discover the real location of the hidden service server.
That 'more luck' would involve becoming the guard of the hidden service, yes? I think at that point it doesn't matter whether the attacker controls the rendezvous point.
The hidden service server can only defend itself by building a 3 hop circuit to the rendezvous point, but in practice this is not always enough.
A few more details about "this is not always enough" would be helpful here. In particular, is it not always enough because sometimes even 3 hops is not safe enough, or not always enough besides sometimes making a 3-hop circuit isn't what the HS wants to do? Or something else?
In simple words, we count and keep track of how many rendezvous circuits a hidden service server built and to which rendezvous points. Then, based on the weight (middle probability fraction) of each rendezvous point, we determine if one was insanely overpicked by clients.
A) Can I deny service to a hidden service by methodically pretending to attack it from each honest relay, one at a time, causing it to become upset at each of these relays?
B) Can I fool your reputation system by raising the total number of rendezvous attempts that I attempt, in effect making the hidden service feel more popular so it's not alarmed as much by any single rendezvous point? I could imagine ways to launch a rendezvous attempt that are quite cheap on the part of a client who has no plans to follow through.
Even if accidentally (low chances) an innocent relay will be banned, this will be something local to the hidden service server. It won't affect that relay at all, nor how other client or hidden service servers treat that relay. It has nothing to do with the network wide consensus as well.
A honest client will always retry with a different rendezvous point, so honest clients should not experience reachability issues.
Actually, I don't think this is client behavior right now. (It could be if somebody changed the design of course.)
--Roger