On 7/13/23 20:23, Cory Francis Myers wrote:
On 2023-07-05 12:50, Mike Perry wrote:
The most common attack has been either onion service related, or against the directory authorities. However, over the past year, we saw several attack attempts that appeared to target specific relays. This was a new phenomenon, at this scale.
[…]
Since the majority of DDoS activity has been onion service related, we expect [the proof-of-work] defense to act as a deterrent there, for most of the issues we have seen.
[…]
We recently obtained funding to fix these kinds of specific attacks against Guards, dirauths, and Exits, but many issues will remain confidential until we do so. We do not want to advertise which of these probing attacks were actually effective vs not, or why.
Thanks very much for this summary, Mike. It sounds like there is a clear division between (a) attacks targeting onion services, to be mitigated by the proof-of-work defense; and (b) attacks with a clearnet source or target, to be mitigated by this new work in progress.
I would separate the two parts of (b). Each will have different solutions, from our point of view.
Addressing attacks coming from Tor exits remains unfunded.
Addressing attacks against Tor relays is funded.
Most the probing attacks against relays that we saw probed for resource exhaustion conditions, which we will address via those conditions themselves. We did get a report of at least one instance of the typical UDP reflection flood against a Tor relay, though. It was quite large, but we only heard this report from one relay operator (and there are several thousand relay operators).
For the latter, could there be value in a mechanism that allows nodes (especially relays) to coordinate either local or upstream blocking of traffic from D/DoS sources? This is the potential application I’m investigating of the IETF DOTS standard. But it may be an approach you’ve either already selected or ruled out.
"It depends".
It is unlikely for us to get directly involved in IP address blacklist or IP address reputation games. Tor user experience is significantly degraded by these systems. While we are trying to pitch funding proposals to improve Tor exit IP address reputation, subjecting our user IP addresses to these systems seems anathema and unlikely.
In general, we vastly prefer cryptographic rate limiting approaches, or deterrents like our pow system[1], over blacklist-based approaches.
Now, if there were ideas being kicked around to cryptographically blind this data such that IP addresses were not revealed to anyone until they appear in multiple DoS event logs, that might be of interest.
1. https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/327-pow...