[tor-bugs] #25226 [Core Tor/Tor]: Circuit cell queue can fill up memory

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 27 17:47:14 UTC 2018


#25226: Circuit cell queue can fill up memory
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  dgoulet
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.3.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-cell, tor-relay, tor-dos,        |  Actual Points:
  033-must, review-group-34, security,           |
  033-triage-20180320, 033-included-20180320     |
Parent ID:                                       |         Points:
 Reviewer:  arma                                 |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by arma):

 * cc: mikeperry (added)


Comment:

 Replying to [comment:20 dgoulet]:
 > Datapoint: #9072

 This old ticket is really important here, because there was an earlier
 ticket (#9063) that proposed to limit the number of cells in-flight on a
 circuit, and #9072 is arguing that it opens up a bad guard discovery
 attack.

 Mind you, when I opened #9072, it was simply about how our protocol
 actually allows a huge number of cells in-flight, because non-data cells
 don't count in the sendme windows, so there is no easy small number where
 if a circuit goes over you know it's violating protocol.

 Mike was the one who retitled my ticket to be about guard discovery
 attacks. He says:
 {{{
 The attack enabled by #9063 is extremely similar to the Guard discovery
 attack from rpw's paper.
 }}}

 I wonder what the guard discovery attack actually is? Nobody says what it
 is on that ticket.

 So it would seem smart to reconstruct what it was we were worried about,
 to figure out if we should still be worried.

 I am bringing Mikeperry back into this ticket so he can channel his five-
 year-earlier self and tell us what the danger is.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25226#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list