[tor-bugs] #28367 [Core Tor/Tor]: RFE additional DOS mitigations for exits

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Nov 8 06:37:08 UTC 2018 

#28367: RFE additional DOS mitigations for exits
--------------------------+----------------------------------
 Reporter:  starlight     |          Owner:  (none)
     Type:  enhancement   |         Status:  closed
 Priority:  Medium        |      Milestone:  Tor: unspecified
Component:  Core Tor/Tor  |        Version:  Tor: unspecified
 Severity:  Normal        |     Resolution:  duplicate
 Keywords:  tor-dos       |  Actual Points:
Parent ID:  #24797        |         Points:
 Reviewer:                |        Sponsor:
--------------------------+----------------------------------

Comment (by teor):

 Replying to [comment:3 starlight]:
 > An obvious objection to ulimit -n as a control is that this is
 simplistic with respect to multi-homed systems and may not always result
 in resilient behavior.  Port limits operate with respect to IP addresses
 rather than at global daemon level.  If ulimit -n is saturated, it will
 not be possible to open new control connections.

 You can open new control connections if you set ulimit -n to a level your
 system can handle, and also set `DisableOOSCheck 0`:

 > > To reduce the number of file handles, use ulimit -n (limit) or the
 equivalent daemon launcher option.
 > >
 > > You may also want to set DisableOOSCheck 0 in your torrc, which causes
 tor to terminate connections at around 90% of the limit, rather than
 failing.

 Replying to [comment:4 starlight]:
 > Another point to think about is rate limiting of connections.  Scanners
 generally operate by extending a number of circuits to an exit and then
 rapidly opening streams / edge_connections on each, so an effective way to
 mitigate this form of behavior is to have a rate limit that curtails or
 kills circuits that rapidly initiate connections while leaving calmer
 circuits untouched.  The first priority flesh-and-blood users who brows
 the web can continue unharassed while bots get squelched.

 You're right: we should work out a way of rate-limiting exit connections
 as well.

 Until we do that, I suggest using a firewall to rate-limit the number of
 new outbound connections. It's not as targeted as inbound connections per
 IP address, but it will help.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28367#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list