[tor-bugs] #27921 [Core Tor/Tor]: apparent DOS / impairment-of-service against FallbackDirs using DIR requests, please evaluate for possible mitigation

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 7 07:08:58 UTC 2018


#27921: apparent DOS / impairment-of-service against FallbackDirs using DIR
requests, please evaluate for possible mitigation
--------------------------+------------------------------------
 Reporter:  starlight     |          Owner:  (none)
     Type:  enhancement   |         Status:  new
 Priority:  Medium        |      Milestone:  Tor: unspecified
Component:  Core Tor/Tor  |        Version:  Tor: 0.3.4.1-alpha
 Severity:  Normal        |     Resolution:
 Keywords:  tor-dos       |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------------

Comment (by teor):

 Replying to [comment:10 starlight]:
 > Replying to [comment:9 teor]:
 > . . .
 > > I wonder if this is a bug in Tor. If it is, it seems to affect relays
 (or old clients). Are the addresses making these requests in the consensus
 as relays?
 >
 > Seems to me it's some actor with a dubious agenda.  They pull
 uncompressed full descriptors at a ridiculous rate from several stable
 relays, mine included.  Perhaps they are trying to detect changes with
 little or no delay

 But descriptors only change once an hour on directory mirrors, because
 mirrors don't fetch new descriptors until they get a new consensus. So
 this probably isn't helping them at all.

 > perhaps they are simply causing trouble the way the circuit extend
 idiots were (same idiots, likely as not).  Requests all originate from
 direct attached clients, a pool of rotating IPs in South America an SE
 Asia--botnet if you ask me.

 Are they all in the same AS? Or a small set of ASes?
 Are the ASes ISPs or VPS providers?

 > I have lists of IPs from the iptables blocker that was working early
 this year if you are interested.  Today I observed the connections serving
 the requests generally have back-pressure and standing send-Q bytes, the
 IPs appear similar to when the requests arrived via DIR port.

 We already limit connections and circuits per IP address. Maybe we should
 limit directory requests as well.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27921#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list