Proposal 109: No more than one server per IP address [was Re: Sybil Attack Countermeasures]
nickm at freehaven.net
Mon Mar 12 03:33:22 UTC 2007
I've added the original proposal as "109-no-sharing-ips.txt", retitled
it to No more than one server per IP address, and merged in Roger's
suggestions (except for those that represent an alternative approach;
I've put those at the end).
My rationale for the name change was:
- We'll eventually want to do something even more smart to detect
some kinds of Sybil attacks. When we do, we won't want to have
a "sybil-checking.txt", a "more-sybil-checking.txt", and a
- This isn't actually a test for Sybil attacks per se: it's only a
break on Sybil attacks by an attacker who can't get lots of IP
On Sun, Mar 11, 2007 at 05:28:54AM -0400, Roger Dingledine wrote:
> Should we consider enforcing this on /16 networks rather than /32, like
> we already do for servers-in-the-same-circuit? In many cases being next
> door too isn't so much harder.
This isn't such a good idea; /16s are much bigger geographically in
some places than others. For example, here's our current top-5 /16s, along
with their count of networkstatus entries:
If we do /24 instead, the top 6 are:
> Also, if we're trying to avoid letting the adversary attract too much
> bandwidth, should we be thinking "no more than 5MB/s advertised bandwidth
> total" rather than "no more than 5 servers total"? On the other hand,
> there are a very few cases where we choose a random node without regard
> for advertised bandwidth, so maybe number-of-servers would be good
Two caps sound best: one on total BW-per-IP and one on servers-per-IP.
> None of these are super compelling, other than the first, and I guess we
> could make an 'exceptions' list, though that would be code bloat. I'd be
> more comfortable putting the limit pretty high though (say, 5 servers
> or 5MB/s to start), because that will still block Sybils yet give us
> some flexibility to see how Tor use evolves.
Please, don't say "block Sybils" here. Remember, the Sybil attack
says nothing about requiring the adversary to have a nicely limited
number of IP addresses.
> > Specification:
> > We propose that the directory servers check if an incoming Tor router
> > IP address is already registered under another router. If this is
> > the case, then prevent this router from joining the network.
> By "registered", do you mean "Named"? Or just "Running"? Or just "in the
> network status"?
Another problem at this point: there is a race here. Suppose there are
two servers running on some IP address, A and B. Suppose that A
publishes to directory authority AUTH1 before B does, but that B
publishes to directory authority AUTH2 before A does. Now AUTH1 will
reject B as a Sybil, but AUTH2 will reject A as a Sybil. That's no
good; we probably need a different rule to keep the authorities from
getting arbitrarily out of sync with each other.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 652 bytes
Desc: not available
More information about the tor-dev