[tor-bugs] #25226 [Core Tor/Tor]: Circuit cell queue can fill up memory

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 27 21:50:41 UTC 2018 

#25226: Circuit cell queue can fill up memory
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  dgoulet
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.3.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-cell, tor-relay, tor-dos,        |  Actual Points:
  033-must, review-group-34, security,           |
  033-triage-20180320, 033-included-20180320     |
Parent ID:                                       |         Points:
 Reviewer:  arma                                 |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by mikeperry):

 Replying to [comment:24 arma]:
 > Replying to [comment:20 dgoulet]:
 > > Datapoint: #9072
 >
 > This old ticket is really important here, because there was an earlier
 ticket (#9063) that proposed to limit the number of cells in-flight on a
 circuit, and #9072 is arguing that it opens up a bad guard discovery
 attack.
 >
 > Mind you, when I opened #9072, it was simply about how our protocol
 actually allows a huge number of cells in-flight, because non-data cells
 don't count in the sendme windows, so there is no easy small number where
 if a circuit goes over you know it's violating protocol.
 >
 > Mike was the one who retitled my ticket to be about guard discovery
 attacks. He says:
 > {{{
 > The attack enabled by #9063 is extremely similar to the Guard discovery
 attack from rpw's paper.
 > }}}
 >
 > I wonder what the guard discovery attack actually is? Nobody says what
 it is on that ticket.
 >
 > So it would seem smart to reconstruct what it was we were worried about,
 to figure out if we should still be worried.
 >
 > I am bringing Mikeperry back into this ticket so he can channel his
 five-year-earlier self and tell us what the danger is.

 The attack in #9072 was due to allowing a small, fixed amount of stream
 creates in flight to kill the circuit. If this number is small and
 predicable, a malicious website can create that many streams to cause the
 circuit to fail, at which point Tor will rebuild a new one on a new path.
 The website gets to rinse and repeat, and create enough circuits until one
 of its middles is chosen next to the guard.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25226#comment:26>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list