-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Dan Staples:
On 10/20/2013 12:42 PM, Gordon Morehouse wrote:
If a tor relay has a circuit built through a peer, and the peer starts dropping 100% of packets, how long will it take before the relay with the circuit "gives up" on the circuit and tears it down? I want to set my temp ban time *below* this timeout. Thus, unlucky peers that were caught in the filter and have circuits already built through the relay they will experience a brief performance degradation, but they won't lose their active circuits through the overloaded relay, and in the meantime hopefully the overload condition is becoming resolved.
Might it be better to actually cause the connecting client to tear down the circuit instead of degrading performance? If your relay is already being swamped by circuit-creation requests, it might be better to cause clients to build new circuits, hopefully not using your relay, no?
My reasoning here is that the Pi can push at least 2.5 Mbps of traffic comfortably. If a Pi-based relay gets the Stable flag, and peers start building long-lived circuits through it (correct me if my understanding is weak please, BTW), the traffic flowing through those existing circuits isn't doing the most loading of the relay; it's the SYNs/circuit creation requests, and thus, those are what I want to shed.
The issue is that a peer with circuits which already exist may send some SYNs at the wrong time and get banned - I'd prefer to temporarily degrade service than to force that peer to tear down the circuit, because the circuit itself isn't causing much load. The ban of a peer with pre-existing circuits is collateral damage, essentially, and I'd like to limit that.
Let's pretend (I have no idea) that Tor will give up after 90 sec if a circuit's peer starts dropping all packets. If I choose only to drop packets for anyone caught in the short-term ban filter for 75 seconds, that's probably a pretty strong signal to peers looking to build *new* circuits to try elsewhere, but the peers with existing circuits will be degraded for 75 seconds and then get to keep their active circuits. If the storm abates or even slows, they may not see this degradation much at all.
I'm still waiting for another "storm" to test the 60 sec findtime / 90 sec bantime guesses that I made (and just pushed to my repo, BTW). Every time my relay crashes due to a storm, it takes me that much longer to get Stable back, and the storms are almost nonexistent until you have the Stable flag in my observation.
Best, - -Gordon M.