[tor-bugs] #16052 [Tor]: Hidden service socket exhaustion by opening many connections
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed May 20 13:33:06 UTC 2015
#16052: Hidden service socket exhaustion by opening many connections
------------------------+------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-hs dos SponsorR SponsorU
Actual Points: | Parent ID:
Points: |
------------------------+------------------------------------------
Comment (by yawning):
Replying to [comment:14 asn]:
> Then, I did a bit of testing with Yawning's branch. With the naive
attack, it seems that Yawning's branch works as intended (ignores
superfluous `RELAY_BEGIN` cells) but it doesn't stop the DoS. That is, the
whole system still goes at 100% CPU just because of cell processing (I
think).
Well, it stops the DoS in that, despite the load being at 100%, new
connections (and existing ones) will continue to get serviced (if they
weren't it would be a sign that our circuit level scheduling is broken,
which it isn't).
If the goal here is to keep CPU load down when bad guys can send arbitrary
traffic down one circuit, then a trivial way for the bad guys to drive
load up to 100% would be to spam `DROP` cells. There's ever so slightly
less processing involved for `DROP` cells than ignored `BEGIN` cells, but
not enough that that variant of the attack isn't possible to mount.
> If we change Yawning's patch to tear down the circuit after the max
number of streams have been encountered, then it seems to work better.
>
> We discussed making this behavior more configurable by having two
switches:
>
> `HiddenServiceMaxStreams`: The maximum number of simultaneous streams on
an HS circuit.
>
> `HiddenServiceMaxStreamsCloseCircuit`: If set, then when
`HiddenServiceMaxStreams` is triggered, we close the respective circuit.
If not set, we just ignore requests for superfluous streams. (Default:
off)
>
> (The positive thing of not killing the circuit above, is that the
circuit will recover once the number of streams goes below the threshold)
Some people on IRC seem to think that once a circuit trips the threshold
we should stop sending SENDME cells. I don't particularly think that the
behavior with my branch is broken though, and I'm still refactoring the
linked list code so I'll think about that later.
Note to the peanut gallery: There is still NO guarantee that I got the
stream accounting I added correct, and using my branch is still not
advised.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16052#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list