[tor-bugs] #24902 [Core Tor/Tor]: Denial of Service mitigation subsystem
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jan 29 09:36:28 UTC 2018
#24902: Denial of Service mitigation subsystem
-------------------------------------------------+-------------------------
Reporter: dgoulet | Owner: dgoulet
Type: enhancement | Status:
| needs_review
Priority: Very High | Milestone: Tor:
| 0.3.3.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: ddos, tor-relay, review-group-30, | Actual Points:
029-backport, 031-backport, 032-backport, |
review-group-31 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by arma):
And thus ends my review. Looking good!
I've been trying to figure out if I would want to set the consensus params
with these defaults -- "if 100 concurrent conns, ones after that are
refused" and "90 circuits, refilled 3 per second" -- and I think yes I am
comfortable with those.
In the future, I plan to advocate for merging dos_cc_new_create_cell() and
dos_cc_get_defense_type() into a single function, which notes the
existence of the new create cell and also tells us whether to apply a
defense. And I plan to advocate for a second cc defense, which returns
DOS_CC_DEFENSE_REFUSE_CELL simply when stats->cc_stats.circuit_bucket ==
0, without any marking or checking of stats->concurrent_count. I think I
will want to instrument a real relay to see how often it would trigger
that new defense, though, and I am happy to delay my future plans so we
can get this patch out the door.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24902#comment:46>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list