[tor-bugs] #24902 [Core Tor/Tor]: Denial of Service mitigation subsystem

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jan 21 17:14:35 UTC 2018

#24902: Denial of Service mitigation subsystem
 Reporter:  dgoulet                              |          Owner:  dgoulet
     Type:  enhancement                          |         Status:
                                                 |  needs_review
 Priority:  Very High                            |      Milestone:  Tor:
                                                 |  0.3.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ddos, tor-relay, review-group-30,    |  Actual Points:
  029-backport, 031-backport, 032-backport       |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by teor):

 I think we should add two more Tor2web defences managed by a consensus
 * when an introduce cell is sent direct from a client, drop that cell and
 any extend requests
   * this is really important because it delays Tor2web introductions and
 failed introduction extends
 * drop HSDir lookups where the circuit came directly from a client

 I think we should wait a release or two to turn the introduce and HSDir
 ones on.
 But if it gets really bad, and we backport them to 0.2.9, maybe we can
 turn them on sooner.

 I also think that Tor2web combined with single onion services makes a DDoS
 much more likely.
 Neither end has any guards, and they both make single hop connections,
 And we're not defending against that at all right now.

 When the service side is a directly connected client (single onion
 * we should automatically activate the introduce defence
   * this is very effective, because it stops Tor2web straight away
 * we should automatically activate the rendezvous defence (drop all cells)
 as soon as the service connects
   * this is not very effective, because the rendezvous has established,
 but it's important for security

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24902#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list