[tor-bugs] #24902 [Core Tor/Tor]: Denial of Service mitigation subsystem

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Jan 22 20:10:13 UTC 2018 

#24902: Denial of Service mitigation subsystem
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  dgoulet
     Type:  enhancement                          |         Status:
                                                 |  needs_review
 Priority:  Very High                            |      Milestone:  Tor:
                                                 |  0.3.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ddos, tor-relay, review-group-30,    |  Actual Points:
  029-backport, 031-backport, 032-backport       |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by teor):

 Replying to [comment:17 dgoulet]:
 > ...
 > >  I think we should add two more Tor2web defenses managed by a
 consensus parameter:
 >
 > Thanks teor for this, I 100% agree with you. What I'm wondering here is
 if we should take the time to also implement these and backport them or
 for now we only put in the RP one (which I think the worst one because
 clients do open the RP before doing the introduction) and put the others
 in 034+ ? If the later, I propose we open a new ticket for this "anti DoS
 + tor2web" issue because also at that point, if we end up with relays just
 denying direct client connections for HS purposes, we should start
 considering strongly to rip off the tor2web code from Tor. I won't start a
 "why do that discussion" in this ticket.

 Do we know if the extra load is bringing down HSDirs?
 (The fetch creates more load, but HS descriptors are cached by clients.)

 Let's open separate tickets for 0.3.4 for blocking Tor2web HSDir and
 Intro. And we should think about backporting the HSDir defence, because we
 will want it if the load gets worse.

 We might also want to block single onion / Tor2web intros and rendezvous
 by default, and backport the code for security. The existing tickets are
 #22688 and #22689.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24902#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list