On 22 Mar (23:20:54), tor wrote:
Suggestion: DoSCircuitCreationMinConnections=1 be established in consensus
The man page for the above option says:
"Minimum threshold of concurrent connections before a client address can be flagged as executing a circuit creation DoS. In other words, once a client address reaches the circuit rate and has a minimum of NUM concurrent connections, a detection is positive. "0" means use the consensus parameter. If not defined in the consensus, the value is 3. (Default: 0)"
Reading this, I get the impression that lowering the value to 1 would negatively impact clients behind carrier NAT. Isn't that the case? If we only allow 1 concurrent connection per IP, wouldn't that prevent multiple users behind a single IP? I would think the same problem would apply to lowering DoSConnectionMaxConcurrentCount as well (which I think is currently 50 in the consensus, but I've seen suggestions to lower it to 4).
Am I misunderstanding?
Yes, lowering DoSCircuitCreationMinConnections=1 means that you only need 1 concurrent client TCP connection to start applying the circuit creation DoS mitigation instead of 3 concurrent. This will thus impact all type of clients and *especially* hidden services which have many clients. They will open many circuits in few seconds so making your Guard apply DoS mitigation will make them sad.
I would strongly suggest to leave it untouched in your option file for now and let the consensus value being used.
Thanks! David