On Fri, Jan 29, 2021 at 12:34:28AM +0100, nusenu wrote:
If dir auths (some or all) are willing to share (privately or publicly) the distribution of attack load (frequency, bandwidth, ...) by exit source IP in total or relative values I can correlate this data to strengthen a hypothesis that malicious/suspicious exits are involved to a greater extend than well-known long term exits.
I'll send you out-of-band a little snapshot of requests from relay IP addresses -- 160k requests over a 24 minute period from yesterday early evening.
At one point later in the evening I was getting several tens of millions of requests per hour. That's when I started to realize that exit relay operators were probably seeing this increased load too.
That could mean that they are not (exclusively) attacking via but _from_ servers that also happen to run tor exits.
Well, there are definitely other addresses -- the overload from last week was non-relay addresses, and that's still going.
It's possible that there are exits that are generating more than their "fair" share of requests. I didn't see that pattern obviously happening, and confirming it would be complicated by the fact that some relays probably have less or more congestion, which would cause the attacks to be more efficient or less efficient through them.
We had a long debugging session in #tor-dev on irc last night, and there will be more of those as we proceed. We've found a bunch of short-term fragile distinguishers, which we could use to block the "bad" traffic right now, but which wouldn't hold up if the bad traffic adapts a bit.
More broadly, we're trying to walk the fine line between doing our analysis and patches in public (yay transparency), vs being aware that whoever is doing this is probably reading these threads too. The destination we want is that we have defenses that are robust to the attacker knowing about them, but things will be a bit bumpy as we get to that destination.
I'm also trying to make sure everybody continues to think about the privacy side -- the directory authorities or fallbackdirs don't know what paths clients build, or what destinations they reach with them, but they can know at what timestamps some IP addresses seemed to be using Tor. And like most things, that information is better private by default.
From another angle this is an interesting precedence because the tor project uses it's access to protect dir auths from exit relays. Why is that interesting? Because no one else that gets attacked via exit relays has that "luxury" to "filter" it at the "source" (exits).
Actually, the #2667 patch protects all relays from exit relays. That is, exit relays will decline to exit to known ORPorts or DirPorts of any relay. There are two benefits here: (a) people can't do circuit-level amplification attacks (happy to elaborate on these once the defense is more in place), and (b) people can't create directory requests which blend with the directory requests that the relay itself does.
These two issues are Tor-specific, and the second one is an especially good argument I think, because the relay is reserving for itself the ability to make its dir connections in a way that the destination can know that the relay is the one making the connection. (Another option would be to add more authentication to the connection, but most ways of doing that are heavier-weight, not lighter-weight.)
--Roger