[tor-access] Predicting effectiveness
John Graham-Cumming
jgc at cloudflare.com
Tue Oct 4 06:32:58 UTC 2016
On Tue, Oct 4, 2016 at 4:15 AM, Jeff Burdges <burdges at gnunet.org> wrote:
> On Mon, 2016-10-03 at 20:28 +0100, John Graham-Cumming wrote:
> > 1. Benign GET / repeated 1000 times per second. That's a DoS on
> > the server
>
> Is this going to work over Tor anyways? I suppose your concern would be
> PHP, etc. that falls over much faster than the web server calling it,
> no?
>
It turns out that does work over a Tor. We see this type of DoS happen
across the Tor network. The network has quite a lot of capacity and
certainly enough to knock over smaller web sites. A related tool is "Tor's
Hammer" which performs DoS using a slightly different method over Tor.
> > 2. Shellshock. Looks like a benign GET / but nasty payload in
> User-Agent header
> > 3. Simple GET but with SQLi in the URI
>
> I suppose you're not worried about targeted attack per se here, as they
> can always solve the current CAPTCHA, but automated attackers who
> attempt attacks on many servers, no?
>
Right. For example the popular sqlmap tool for finding SQLi vulnerabilities
in a web site has a --tor option to run through the Tor network. Running
attack tools via Tor is very common.
> Are these serious concerns? I suppose they're more serious than the DoS
> concerns, so that sounds bad from the token stockpiling perspective.*
Yes, these are serious concerns. If they weren't I would have just dropped
CAPTCHA for Tor exit nodes and be done with it. We know from watching
attacks come through Tor that to do so would expose people's web sites.
* If this becomes an issue, there is an approach that might work : Just
> use multiple signing keys, one system wide key C for all CloudFlare
> sites, and individual site keys for each site CloudFlare protects. If
> you solve a CAPTCHA then you withdraw a moderate stack of C tokens. If
> you visit site X then you spend an X token if you have one, but if you
> do not then you spend a single C token to withdraw tens of thousands of
> X tokens. So solving a CAPTCHA is worth hundreds of thousands of page
> loads, but only across a moderate number of sites. We could've separate
> Cbig and Csmall keys such that first it withdraws with Csmall, but if
> the users blows through that quickly then it withdraws with Cbig.
>
I'll let the crypto-heads explore that.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-access/attachments/20161004/12a371c2/attachment-0001.html>
More information about the tor-access
mailing list