[tor-bugs] #29607 [Core Tor/Tor]: Denial of service on v2 onion service

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Mar 13 13:52:56 UTC 2019 

#29607: Denial of service on v2 onion service
--------------------------+--------------------------
 Reporter:  pidgin        |          Owner:  pidgin
     Type:  defect        |         Status:  accepted
 Priority:  Immediate     |      Milestone:
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:  #25461        |         Points:
 Reviewer:                |        Sponsor:
--------------------------+--------------------------

Comment (by pidgin):

 Here is a debug log for a tor process under 100% cpu with v2 onion
 service. some info scrubbed.
 created 4MB debug logfile per second.

 -scrubbed-:27.000 [debug] relay_send_command_from_edge_(): delivering 14
 cell forward.
 -scrubbed-:27.000 [debug] relay_send_command_from_edge_(): Sending a
 RELAY_EARLY cell; 5 remaining.
 -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a
 layer of the relay cell.
 -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a
 layer of the relay cell.
 -scrubbed-:27.000 [debug] append_cell_to_circuit_queue(): Made a circuit
 active.
 -scrubbed-:27.000 [debug] connection_or_process_cells_from_inbuf(): 11:
 starting, inbuf_datalen 1028 (0 pending in tls object).
 -scrubbed-:27.000 [debug] channel_process_cell(): Processing incoming
 cell_t 0x7ffcaedf5950 for channel 0x563a770113e0 (global ID 2)
 -scrubbed-:27.000 [debug] circuit_get_by_circid_channel_impl():
 circuit_get_by_circid_channel_impl() returning circuit 0x563a779c4eb0 for
 circ_id 2380366636, channel ID 2 (0x563a770113e0)
 -scrubbed-:27.000 [debug] circuit_receive_relay_cell(): Sending to origin.
 -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Now seen
 10207 relay cells here (command 15, stream 0).
 -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Got an
 extended cell! Yay.
 -scrubbed-:27.000 [info] circuit_finish_handshake(): Finished building
 circuit hop:
 -scrubbed-:27.000 [info] internal circ (length 5, last hop $-scrubbed-):
 $-scrubbed-(open) $scrubbed(open) $scrubbed(open) $Cscrubbed(closed)
 $-scrubbed-(closed)
 -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1541 evtype=2
 reason=0 onehop=0
 -scrubbed-:27.000 [debug] circuit_build_times_add_time(): Adding circuit
 build time 22290
 -scrubbed-:27.000 [debug] circuit_send_intermediate_onion_skin(): starting
 to send subsequent skin.
 -scrubbed-:27.000 [info] circuit_send_intermediate_onion_skin(): Sending
 extend relay cell.
 -scrubbed-:27.000 [debug] relay_send_command_from_edge_(): delivering 14
 cell forward.
 -scrubbed-:27.000 [debug] relay_send_command_from_edge_(): Sending a
 RELAY_EARLY cell; 5 remaining.
 -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a
 layer of the relay cell.
 -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a
 layer of the relay cell.
 -scrubbed-:27.000 [debug] relay_encrypt_cell_outbound(): encrypting a
 layer of the relay cell.
 -scrubbed-:27.000 [debug] append_cell_to_circuit_queue(): Made a circuit
 active.
 -scrubbed-:27.000 [debug] connection_or_process_cells_from_inbuf(): 11:
 starting, inbuf_datalen 514 (0 pending in tls object).
 -scrubbed-:27.000 [debug] channel_process_cell(): Processing incoming
 cell_t 0x7ffcaedf5950 for channel 0x563a770113e0 (global ID 2)
 -scrubbed-:27.000 [debug] circuit_get_by_circid_channel_impl():
 circuit_get_by_circid_channel_impl() returning circuit 0x563a77524ad0 for
 circ_id 3378515571, channel ID 2 (0x563a770113e0)
 -scrubbed-:27.000 [debug] circuit_receive_relay_cell(): Sending to origin.
 -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Now seen
 10208 relay cells here (command 35, stream 0).
 -scrubbed-:27.000 [info] rend_service_receive_introduction(): Received
 INTRODUCE2 cell for service "uuuuuuuuuuuuuuuuuuu" on circ 3378515571.
 -scrubbed-:27.000 [debug] extend_info_from_node(): using YYYYYYYYYYYYYYY
 for scrubbed
 -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for
 $scrubbedscrubbed
 -scrubbed-:27.000 [info] rep_hist_note_used_internal(): New port
 prediction added. Will continue predictive circ building for 3003 more
 seconds.
 -scrubbed-:27.000 [debug] circuit_find_to_cannibalize(): Hunting for a
 circ to cannibalize: purpose 17, uptime 0, capacity 1, internal 1
 -scrubbed-:27.000 [debug] new_route_len(): Chosen route length 5 (6571
 direct and 6571 indirect routers suitable).
 -scrubbed-:27.000 [info] onion_pick_cpath_exit(): Using requested exit
 node '$scrubbedscrubbed'
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 0 long; we want 5
 -scrubbed-:27.000 [info] select_primary_guard_for_circuit(): Selected
 primary guard rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii
 ($-scrubbed-) for circuit.
 -scrubbed-:27.000 [debug] extend_info_from_node(): using
 XXXXXXXXXXXXXXzzzzzzzzzzzzzzzzzzzzzz for
 rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii
 -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for
 $-scrubbed-~rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii at
 XXXXXXXXXXXXXX
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router
 $-scrubbed-~rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii at
 XXXXXXXXXXXXXX for hop #1 (exit is scrubbed)






 -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 1 long; we want 5
 -scrubbed-:27.000 [debug] choose_good_middle_server(): Contemplating
 intermediate hop #2: random choice.
 -scrubbed-:27.000 [debug] choose_good_middle_server(): Picking a sticky
 node (cur_len = 1)
 -scrubbed-:27.000 [debug] extend_info_from_node(): using
 rrrrrrrrrrrrrrrrrrrrrrrrzzzzzzzzzzzzzzzzzzzzzz for araglaucogularis
 -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for
 $scrubbed~scrubbed
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router
 $scrubbed~scrubbed for hop #2 (exit is scrubbed)
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 2 long; we want 5
 -scrubbed-:27.000 [debug] choose_good_middle_server(): Contemplating
 intermediate hop #3: random choice.
 -scrubbed-:27.000 [debug] choose_good_middle_server(): Picking a sticky
 node (cur_len = 2)
 -scrubbed-:27.000 [debug] extend_info_from_node(): using
 scrubbed:kkkkkkkkkkkkkkkkkkkkkkkkkk for rrrrrrrrrrrrrrrrrrrrrrrrrrrr
 -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for
 $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx~rrrrrrrrrrrrrrrrrrrrrrrrrrrr at scrubbed
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router
 $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx~rrrrrrrrrrrrrrrrrrrrrrrrrrrr at scrubbed
 for hop #3 (exit is scrubbed)
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 3 long; we want 5
 -scrubbed-:27.000 [debug] choose_good_middle_server(): Contemplating
 intermediate hop #4: random choice.
 -scrubbed-:27.000 [debug] router_choose_random_node(): We found 5695
 running nodes.
 -scrubbed-:27.000 [debug] router_choose_random_node(): We removed 0
 excludednodes, leaving 5695 nodes.
 -scrubbed-:27.000 [debug] router_choose_random_node(): We removed 4
 excludedsmartlist, leaving 5691 nodes.
 -scrubbed-:27.000 [debug] compute_weighted_bandwidths(): Generated
 weighted bandwidths for rule weight as middle node based on weights
 Wg=0.400800 Wm=1.000000 We=0.000000 Wd=0.000000 with total bw
 25389038256.000000
 -scrubbed-:27.000 [debug] extend_info_from_node(): using
 fffffffffffffffffffffffffffffff:kkkkkkkkkkkkkkkkkkkkkkkkkk for
 wwwwwwwwwwwwwwwwwwwwww
 -scrubbed-:27.000 [info] extend_info_from_node(): Including Ed25519 ID for
 $ggggggggggggggggggggggggggggggggggg~wwwwwwwwwwwwwwwwwwwwww at
 fffffffffffffffffffffffffffffff
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router
 $ggggggggggggggggggggggggggggggggggg~wwwwwwwwwwwwwwwwwwwwww at
 fffffffffffffffffffffffffffffff for hop #4 (exit is scrubbed)
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is 4 long; we want 5
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Chose router
 $scrubbedscrubbed for hop #5 (exit is scrubbed)
 -scrubbed-:27.000 [debug] onion_extend_cpath(): Path is complete: 5 steps
 long
 -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=2543 evtype=0
 reason=0 onehop=0
 -scrubbed-:27.000 [debug] circuit_handle_first_hop(): Looking for firsthop
 'XXXXXXXXXXXXXXzzzzzzzzzzzzzzzzzzzzzz'
 -scrubbed-:27.000 [debug] btc_event_rcvr(): CIRC gid=2543 chan=2 onehop=0
 -scrubbed-:27.000 [debug] circuit_handle_first_hop(): Conn open.
 Delivering first onion skin.
 -scrubbed-:27.000 [debug] circuit_send_first_onion_skin(): First skin;
 sending create cell.
 -scrubbed-:27.000 [debug] circuit_get_by_circid_channel_impl():
 circuit_get_by_circid_channel_impl() found nothing for circ_id 3035601791,
 channel ID 2 (0x563a770113e0)
 -scrubbed-:27.000 [debug] circuit_deliver_create_cell(): Chosen circID
 3035601791.
 -scrubbed-:27.000 [debug] circuitmux_attach_circuit(): Attaching circuit
 3035601791 on channel 2 to cmux 0x563a770079d0
 -scrubbed-:27.000 [debug] append_cell_to_circuit_queue(): Made a circuit
 active.
 -scrubbed-:27.000 [debug] btc_state_rcvr(): CIRC gid=2543 state=0 onehop=0
 -scrubbed-:27.000 [info] circuit_send_first_onion_skin(): First hop:
 finished sending CREATE cell to
 '$-scrubbed-~rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrriiiiiiiiiiiiiiiiiii at
 XXXXXXXXXXXXXX'
 -scrubbed-:27.000 [info] rend_service_receive_introduction(): Accepted
 intro; launching circuit to [scrubbed] (cookie 2E7D742C) for service
 uuuuuuuuuuuuuuuuuuu.
 -scrubbed-:27.000 [debug] connection_or_process_cells_from_inbuf(): 11:
 starting, inbuf_datalen 0 (0 pending in tls object).
 -scrubbed-:27.000 [debug] conn_read_callback(): socket 10 wants to read.
 -scrubbed-:27.000 [debug] connection_buf_read_from_socket(): 10: starting,
 inbuf_datalen 0 (0 pending in tls object). at_most 16448.
 -scrubbed-:27.000 [debug] connection_buf_read_from_socket(): After TLS
 read of 1028: 1057 read, 0 written
 -scrubbed-:27.000 [debug] connection_or_process_cells_from_inbuf(): 10:
 starting, inbuf_datalen 1028 (0 pending in tls object).
 -scrubbed-:27.000 [debug] channel_process_cell(): Processing incoming
 cell_t 0x7ffcaedf5950 for channel 0x563a76ffd020 (global ID 1)
 -scrubbed-:27.000 [debug] circuit_get_by_circid_channel_impl():
 circuit_get_by_circid_channel_impl() returning circuit 0x563a773f5cd0 for
 circ_id 3703046038, channel ID 1 (0x563a76ffd020)
 -scrubbed-:27.000 [debug] circuit_receive_relay_cell(): Sending to origin.
 -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Now seen
 10209 relay cells here (command 15, stream 0).
 -scrubbed-:27.000 [debug] connection_edge_process_relay_cell(): Got an
 extended cell! Yay.
 -scrubbed-:27.000 [info] circuit_finish_handshake(): Finished building
 circuit hop:
 -scrubbed-:27.000 [info] internal circ (length 5, last hop
 wwwwwwwwwwwwwwwwwwwwww): $hhhhhhhhhhhhhhhhhhhhhhhhh(open)
 eeeeeeeeeeeeeeeeeeeeeeeee(open) nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn(open)
 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv(open)
 lllllllllllllllllllllllllllllllllllllllll(open)
 -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1023 evtype=2
 reason=0 onehop=0
 -scrubbed-:27.000 [info] entry_guards_note_guard_success(): Recorded
 success for primary confirmed guard madtrixz01
 ($hhhhhhhhhhhhhhhhhhhhhhhhh)
 -scrubbed-:27.000 [debug] btc_state_rcvr(): CIRC gid=1023 state=4 onehop=0
 -scrubbed-:27.000 [info] circuit_build_no_more_hops(): circuit built!
 -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1023 evtype=1
 reason=0 onehop=0
 -scrubbed-:27.000 [info] rend_service_rendezvous_has_opened(): Done
 building circuit 3703046038 to rendezvous with cookie A9ADDEC1 for service
 uuuuuuuuuuuuuuuuuuu96EB1FD02A5(open) nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn(open)
 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv(open)
 lllllllllllllllllllllllllllllllllllllllll(open)
 -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1023 evtype=2
 reason=0 onehop=0
 -scrubbed-:27.000 [info] entry_guards_note_guard_success(): Recorded
 success for primary confirmed guard madtrixz01
 ($hhhhhhhhhhhhhhhhhhhhhhhhh)
 -scrubbed-:27.000 [debug] btc_state_rcvr(): CIRC gid=1023 state=4 onehop=0
 -scrubbed-:27.000 [info] circuit_build_no_more_hops(): circuit built!
 -scrubbed-:27.000 [debug] btc_cevent_rcvr(): CIRC gid=1023 evtype=1
 reason=0 onehop=0
 -scrubbed-:27.000 [info] rend_service_rendezvous_has_opened(): Done
 building circuit 3703046038 to rendezvous with cookie A9ADDEC1 for service
 uuuuuuuuuuuuuuuuuuu
 -scrubbed-:27.000 [info] internal circ (length 5):
 $hhhhhhhhhhhhhhhhhhhhhhhhh(open) eeeeeeeeeeeeeeeeeeeeeeeee(open)
 nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn(open)
 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv(open)
 lllllllllllllllllllllllllllllllllllllllll(open)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29607#comment:18>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list