Hi,

I've written this (ugly, unconfigurable) patch for Tor which is designed to allow hidden services more information about their users, by giving each inbound circuit its own temporary "IP address" in the 127.x range. This technique works on Linux (I've not tried it on anything else) and allows the application server to do some useful things which were previously difficult:

* Identify TCP connections coming from the same client, in a short space of time, for example, for diagnostic log analysis, identifying traffic trends
* Rate-limit operations coming from the same client, to defend against some types of DoS attacks
* Temporarily block abusive clients (at least, until they make a new Tor circuit)

More importantly, it can do this with an unmodified application-server (e.g. web servers typically have these features built-in) because it effectively "spoofs" the client ID as an ip-address, in the 127.x range.

The patch is currently not configurable (the feature can't be turned off). It only works with hidden services which are routed to "localhost".

Request for comments. What do you think?

--
Harry SeventyOne