[tor-bugs] #24902 [Core Tor/Tor]: Denial of Service mitigation subsystem

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 15 00:28:53 UTC 2018 

#24902: Denial of Service mitigation subsystem
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  dgoulet
     Type:  enhancement                          |         Status:
                                                 |  merge_ready
 Priority:  Very High                            |      Milestone:  Tor:
                                                 |  0.3.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-dos, tor-relay, review-          |  Actual Points:
  group-30, 029-backport, 031-backport,          |
  032-backport, review-group-31, SponsorV        |
Parent ID:                                       |         Points:
 Reviewer:  arma                                 |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by teor):

 Replying to [comment:70 dgoulet]:
 > Replying to [comment:69 teor]:
 > > My relay radia4 became unmeasured shortly after I disabled my firewall
 and started relying on the DDoS defences. And then a few hours later, it
 was measured again.
 > >
 > > I've checked that it's reachable on IPv4 and IPv6, and that the
 remaining firewall rules aren't blocking anything (unless the authorities
 are making *lots* of connections).
 > >
 > > Could the authorities (or the bandwidth authority clients) be
 triggering one of the defences?
 > > Aren't authorities meant to be exempted as relays?
 >
 > For reachability test, authority opens a one-hop circuit to the relay
 and it is authenticated right?

 Yes.

 > But anycase, there is no defense applied for known IPs and I assume
 dirauth are very known.

 It depends. If authorities set OutboundBindAddress, or their default route
 is through a non-public address, then their IPs won't be known. But they
 will be authenticated.

 > > Perhaps the bandwidth authority clients are building too many
 circuits?
 >
 > If the bwauth is opening more than 3 concurrent connections and doing on
 them 90 circuits burst at a rate of 3 circuit/second, then yes that is
 *crazy* and would trigger the defense. Or if it is opening more than 100
 TCP connections in parallel, all the other connections would get refused.
 >
 > > Edit: it was re-measured, not down
 >
 > The defense would be up for 60 minutes + rand(1, 30) minutes so if it
 was re-measured somehow properly without triggering the defense, I think
 that either the bwauth is on the edge there or it is not that.
 >
 > If the bwauth aren't opening that many circuits, I would blame the
 network load or/and bwauth code?

 Possibly. We should look for these issues in 0.3.3.2-alpha.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24902#comment:75>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list