[tor-bugs] #33666 [Circumvention/Snowflake]: Investigate Snowflake proxy failures

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 3 15:29:48 UTC 2020 

#33666: Investigate Snowflake proxy failures
-------------------------------------+------------------------------
 Reporter:  cohosh                   |          Owner:  (none)
     Type:  defect                   |         Status:  needs_review
 Priority:  High                     |      Milestone:
Component:  Circumvention/Snowflake  |        Version:
 Severity:  Normal                   |     Resolution:
 Keywords:                           |  Actual Points:
Parent ID:  #19001                   |         Points:
 Reviewer:                           |        Sponsor:
-------------------------------------+------------------------------

Comment (by cohosh):

 Replying to [comment:9 dcf]:
 > Replying to [comment:5 cohosh]:
 > > 1. log debug information and encourage the owner through the UI to
 file a Tor ticket with the log messages so we can figure out what's going
 on,
 > > 2. keep track of how many times this happens, and if it always happens
 (the proxy sees no successful connections) disable the proxy and print out
 some debug messages,
 > > 3. do a probe test only when the datachannel fails to open to check
 whether the proxy can open a datachannel with the probe point.
 >
 > My opinion on this is that (2) is a reasonable idea. (I said (3) in the
 meeting today but I meant (2).)
 >
 > It does open a new DoS vector: a malicious client can fail all its
 DataChannels and cause proxies to think they are unreliable.
 >
 > comment:8 shows that failure rate may be as much a function of the
 client as of the proxy. Maybe this is a mutally incompatible NAT
 situation? The symptoms you mention in comment:2 match that. It's possible
 that both peers are sending binding requests to each other, but neither
 are making it all the way to the other side.
 Huh. This is a really good find. I was doing my tests on a VPS and my
 failure rate matches what your VPS failure rate was. I had no idea the NAT
 topologies of the client and proxy should have anything to do with each
 other.

 Now I'm interested in whether the proxies that fail for a VPS are a subset
 of the proxies that fail for the home setup. If that's true, then I still
 think we should move forward with some variation of option (2). If not,
 then it doesn't seem to be the fault of the proxies and disabling them
 completely just because they get a lot of home connections might not be
 the right way to go. Although that is the typical use case. Of course the
 best thing to do is further track down what's happening here and find a
 way to make these proxies useful to more clients.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33666#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list