[tor-bugs] #8163 [Core Tor/Tor]: It is no longer deterministic which Sybils we omit

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jun 2 23:09:06 UTC 2019 

#8163: It is no longer deterministic which Sybils we omit
-------------------------------------------------+-------------------------
 Reporter:  arma                                 |          Owner:  (none)
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  unspecified
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.2.4.10-alpha
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-dirauth sybil voting needs-spec  |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by teor):

 Replying to [comment:24 arma]:
 > So, I think an evil person could manipulate which dir auths it responds
 to, to get a 2x increase in Sybils per IP address. But I think it's capped
 at 2x, because we demand a majority of Running votes from each dir auth to
 put you in the consensus.

 It's strictly less than 2x.

 With AuthDirMaxServersPerAddr 2:
 * there are 9*2 = 18 Running-votes per IPv4 address
 * a majority is 5/9
 * 18/5 = 3

 With AuthDirMaxServersPerAddr 4:
 * there are 9*4 = 36 Running-votes per IPv4 address
 * a majority is 5/9
 * 36/5 = 7

 3 extra relays is a significant jump from 1 extra relay.

 Maybe we should fix this bug by adding a tie-breaker to the comparison?

 If we want the "best" relays, and we want convergent behaviour, we should
 sort by Running, weighted fractional uptime, then fingerprint to break
 zero-uptime ties.

 But it's still possible to game those checks, so we should:
 * add AuthDirMaxServersPerAddr as a consensus parameter, hard-coded to the
 value of the AuthDirMaxServersPerAddr torrc option
 * add a new consensus method that only chooses the first
 AuthDirMaxServersPerAddr relays per IP address, sorting by Running, then
 fingerprint

 These bugs shouldn't be that hard to fix.

 Do we have a sponsor for it?
 It fits within the broad topic of Sponsor V, but it's not in scope for any
 of the deliverables.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8163#comment:25>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list