[tor-bugs] #25248 [Core Tor/Tor]: DoS mitgation: improve documentation

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Apr 9 19:00:12 UTC 2018 

#25248: DoS mitgation: improve documentation
-------------------------------------------------+-------------------------
 Reporter:  cypherpunks                          |          Owner:  dgoulet
     Type:  enhancement                          |         Status:
                                                 |  needs_revision
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.3.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-dos, manpage, tor-doc,           |  Actual Points:
  033-triage-20180320, fast-fix,                 |
  033-included-20180326                          |
Parent ID:                                       |         Points:
 Reviewer:  mikeperry                            |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by mikeperry):

 * status:  needs_review => needs_revision


Comment:

 Ok, I read the whole section and I have a few questions/comments:

 0. "Tor has 3 build-in mitigation options" -> "Tor has three built-in
 mitigation options"

 1. It is not clear how DoSCircuitCreationBurst applies. Does that counter
 get reset every time the values in DoSCircuitCreationRate and
 DoSCircuitCreationMinConnections fall above/below their threshold? So that
 first, a client IP has to exceed DoSCircuitCreationMinConnections, and
 then exceed DoSCircuitCreationRate, and then we start counting to 90
 circuits for that IP? If so, we should state that. If not, we should state
 how bursts are counted and if/when that counter is reset.

 2. We should also state that the names for the consensus parameters are
 the same as the torrc names. This is not always the case.

 3. Can we include a statement about log lines people can check for to see
 if these limits are being hit on their relay? If they are warns, then just
 saying Tor will emit a warning is enough. If they are notices, then maybe
 we should have either the log string, or something people can grep for?

 4. This section should be right below the SERVER OPTIONS section, since
 that is what they are. The first paragraph should also say that these
 options are for Tor relays/servers (and not for onion services who may be
 under DoS, which could be another point of confusion here).

 5. Do we also want a dos-spec.txt with this info in torspec.git? I could
 see some of this stuff being moved to such a place and being cited
 instead. I don't feel super strongly about this, though.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25248#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list