[tor-dev] On picking Introduction Points in Next Generation Hidden Services

George Kadianakis desnacked at riseup.net
Tue Aug 12 11:05:49 UTC 2014 

One missing piece of rend-spec-ng.txt [0] is a section on how HSes
should pick their Introduction Points (IPs). There are three main
questions here:
- How many IPs should an HS have?
- Which relays can be IPs?
- What's the lifetime of an IP?

==Introduction Points attacks==

  Before exploring these questions it's a good idea to state a rough
  threat model for IPs. First, let's get a visual taste, here is how
  IPs work in the current HS protocol:
  https://people.torproject.org/~asn/hs/ip_placement_currently.jpg
  (number of IPs reduced to 2 to make it more readable)
  
  As you can see, IPs are in a good position to conduct any of the
  following attacks:
  
  a) IPs can count the number of introductions for a subset of clients
     (i.e. in the figure above, IP_1 would be able to count
     introductions from the clients above it). Since clients pick IPs
     uniformly at random, it's not hard to extrapolate from that to the
     total number of introductions.
  
  b) IPs have presense information about the HS. That is, they know
     whether the HS is up or down at a given time since they have a
     long-term stable circuit to it.
  
     FWIW, regular clients also have this ability by continuously
     "pinging" the HS and noticing when it's down.
  
  And, of course, an attacker who controls all the IPs of an HS can
  trivially DoS the HS (till the HS refreshes its IPs).
  
  Furthermore, as part of the Next Generation HSes initiative [0], we
  are considering enhancing the availability of HSes by allowing
  multiple nodes per Hidden Service. A plausible idea for achieving that
  is to allow multiple IP circuits per Introduction Point, as explained
  in [tor-dev] by Christopher Baines [1]. This means that IPs would work
  like this:
  https://people.torproject.org/~asn/hs/ip_placement_scaling.jpg
  where HS_1, HS_2 and HS_3 are the various nodes of the HS.
  
  This allows the IPs to launch the following attacks:
  
  a) IPs can learn the number of nodes of an HS, by counting the number
     of IP circuits on them. Also, the IPs can learn the prsense of the
     nodes of an HS, by looking at the state of their circuit.
  
  b) IPs can choose which HS node will receive traffic.

==How many IPs should an HS have?==

  Now let's investigate how many IPs an HS should have.
  
  The current situation is that HSes attempt to estimate their own
  popularity [2], and then they launch a number of IPs between 3 and 10
  depending on how popular they think they are. FWIW, we don't really
  understand whether the formula works properly [3].
  
  There are a few options for the future here:
  
  a) Fix the formula and keep number of IPs dynamic based on the
     popularity of the HS.
  
     This is not a bad idea. However, we should make sure that from the
     number of IPs you can't easily derive the number of clients of the
     HS. Also we should make sure that the formula works properly.
  
  b) Have a static amount of IPs per HS. For example '5' of them.

     I'm not sure what kind of calculations we need to do to find the
     right constant here (same for the (a) option).
  
  c) Have a static amount of IPs per HS, but also allow this to be
     configurable by the HS operator.
  
     The idea here is that popular HSes can pump up the number of IPs
     to make the service more reachable. It's worth noting that HSes
     who do so will stand out as manually configured; not sure if any
     other partition attacks can happen here. Also, there is also the
     danger of all HS operators thinking they are special and pumping
     the number of IPs to 42.
  
  Generally, we want to have a healthy amount of IPs (so that they
  don't get DoSed, and that requests get load balanced nicely), but
  also not too many because every HS having many IP circuits will put
  a load to the network (especially with services like Torchat where
  each client is an HS), and also because we want to avoid too many
  nodes becoming our IPs over time (more on this below).

==Which relays can be IPs?==

  This seems to be the easiest question here and Tor is currently
  handling it well by only restricting IPs to be Stable nodes [4].
  
  This means that with the current network, we have about 4000 possible
  IPs to choose from [5].
  
  This makes sense since we want to maximize the set of possible IPs,
  but we also want them to be stable to decrease their natural churn.

==What's the lifetime of an IP?==

  Another hard question: How long should we keep IPs for?
  
  Currently, Tor keeps IPs for a random time between 18 to 24 hours [6].
  
  This seems like too short of a period if we actually want to protect
  against adversarial nodes ever becoming our IPs: Consider an HS with
  5 IPs that rotates them every 24 hours, in only two months it will
  use 300 nodes as IPs plus the natural churn (which is not negligible
  at all).
  
  With that in mind we need to look at all the possible attacks that
  IPs could launch and decide whether they should be short-lived or
  long-lived. For example, waldo in a related thread [7] [8] asks for
  short-lived IPs, but recent entry guard research has shown that making
  guards more long-lived is actually beneficial for security [9].
  
  I'm personally leaning towards more long-lived IPs but I still don't
  know what our constants should be. I could see anything from a week,
  to a month, to 5 months as reasonable IP lifetimes.
  
  We also need to look at INTRO_POINT_LIFETIME_INTRODUCTIONS, since
  apparently in the current code, IPs will expire on their own if they
  perform more than 16384 introductions.

==Conclusion==

  I hope that this thread serves as a good start on discussing
  Introduction Point security. After we take some decisions, we will
  need to write them down as a proposal and incorporate them in
  rend-spec-ng.txt.
  
  Also, this thread does not explore other IP matters, like how many HS
  nodes should correspond to each IP if we go ahead with the scaling
  ideas [10]. I decided to not include this in the discussion, so that we
  keep it simple and also so that we don't focus on a particular scaling
  scheme.

References:

[0]: https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/224-rend-spec-ng.txt

[1]: https://lists.torproject.org/pipermail/tor-dev/2014-April/006788.html

[2]: https://gitweb.torproject.org/tor.git/blob/ab3d5c049032651a9c9164262f9a8f81de9709d4:/src/or/rendservice.c#l1001

[3]: https://trac.torproject.org/projects/tor/ticket/8950

[4]: https://gitweb.torproject.org/tor.git/blob/bb68c731b897a967a4b7eb138728fa077617646e:/src/or/rendservice.c#l3173

[5]: https://metrics.torproject.org/network.html#relayflags

[6]: https://gitweb.torproject.org/tor.git/blob/bb68c731b897a967a4b7eb138728fa077617646e:/src/or/rendservice.c#l2998
     https://gitweb.torproject.org/tor.git/blob/bb68c731b897a967a4b7eb138728fa077617646e:/src/or/or.h#l4794

[7]: https://lists.torproject.org/pipermail/tor-dev/2014-May/006815.html

[8]: waldo also mentions an IP guard discovery attack in another reply of his:
     https://lists.torproject.org/pipermail/tor-dev/2014-May/006843.html

     However, I'm not sure if it's actually doable, since I think that
     HSes will discard an IP that has failed a circuit. We need to
     look into this more seriously.
     
[9]: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters

[10]:https://lists.torproject.org/pipermail/tor-dev/2013-October/005615.html
     https://lists.torproject.org/pipermail/tor-dev/2013-October/005683.html

More information about the tor-dev mailing list