[tor-dev] Tor and slow DOS attacks

Mike Perry mikeperry at fscked.org
Wed Aug 24 22:10:18 UTC 2011 

Thus spake Georg Koppen (g.koppen at jondos.de):

> today, I read that blog post:
> 
> http://www.guerilla-ciso.com/archives/2049
> 
> It is talking about the rise of slow DOS attacks and that Tor could play
> an important role in it (in fact the post links to an already existing
> tool for this attack properly configured to get used with Tor).
> As one of the defenses (granted the last one on his list) the author
> mentions:
> 
> "Block TOR exit nodes before the traffic reaches your webservers (IE, at
> layer 3/4)."

Heh, guy describes an attack that can bring down a webserver from a
coffeeshop and his solution is to block Tor. I love people like this.
If he was just listing it for completeness, he should also have
recommended a national open wireless and open proxy registry, so
everyone can block that too. You know, to stop attacks. At least it
was last on the list.. 

This attack definitely sounds like it should be mitigated by Apache
config options, and possibly also some form of load-based connection
pruning support in Apache itself for use when the server comes close
to the MaxClients limit.

> Well, as this is not good for the Tor network and makes it unnecessary
> easy for censors to argue for blocking Tor ("we just want to defend us
> against slow DOS attacks") I am wondering whether there is already some
> effort under way to detect and ban such kind of traffic. Or should there
> be such effort at all?

There have been proposals to run IDSs at exit nodes before. In
theory, they can be supported by the Tor protocol without damaging
traffic:
https://lists.torproject.org/pipermail/tor-relays/2011-March/000675.html

So far no one seems interested in doing exit IDS the right way though.
We probably have a few exit operators running IDSs already, but they
are doing so at risk of being BadExited if they are discovered to be
interfering with *any* amount of normal traffic.

In general though, the belief is that this is not really our job. If
an attack is possible through Tor, blocking Tor or making Tor illegal
is akin to burying your head in the ground. Sure, you might stop the
script kiddie who ran their attack script with 'torsocks' today, but
some other attacker will knock your site over from a coffee shop or
open proxy tomorrow.

This core philosophy is the basis behind the abuse template set for
exit operators:
https://trac.torproject.org/projects/tor/wiki/doc/TorAbuseTemplates

This philosophy obviously puts us at odds with all the DNSRBL/honeypot
folks out there that believe that vigilante justice should be metered
out by threatening and spamming ISP abuse departments into pulling the
plug on "noisy" IP addresses, but we believe they are just wasting
their lives playing wack-a-mole. I guess if it makes them feel better,
that's great for them. Everybody deserves their Prozac. But they're
not really solving any real problems.

Fix the software. Don't fight brain damge with network damage.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20110824/ffae9795/attachment.pgp>

More information about the tor-dev mailing list