On Fri, Feb 02, 2018 at 02:23:24PM +1100, teor wrote:
For IP addresses with 3 or more connections to a single guard, the guard imposes a limit of 1 circuit every 3 seconds, with a 90 circuit burst allowance.
3 circuits every 1 seconds, actually. Think of it like a token bucket with a size of 90 circuits and a refill rate of 3 per second.
If it happens, and if they build more than 90 circuits to the same relay, the defence will trigger. Then both instances will try another relay.
I think Tor clients who have all their create cells responded to with destroy cells won't abandon that relay. That is, getting a destroy cell in response to a create cell is not an indication that the relay is broken, so it won't convince us to stop trying that one.
That "feature" is actually part of the calculus here, since we want to think very carefully about how our choices shape the behavior of the millions of enthusiastic high-bandwidth Tor clients that are overwhelming the network.
Because the circuit-creation limit is applied at the guard, wouldn???t this affect hidden sevices instead of single onion services?
It will only trigger if hundreds of guard-using clients are behind a single IP address.
I expect a popular onion service that doesn't use guards and that runs many Tor instances on the same IP address will trigger the defense often: because it doesn't use guards, each new circuit it builds in response to a rendezvous request will pick an entry point at random, and if some of the conversations with clients last for a while, then outgoing connections will accumulate, eventually reaching the threshold for each relay to decide that that address is being unfair.
--Roger