[tor-dev] Patch: Hidden service: use inbound bind-address based on circuit ID (effectively giving each circuit a temporarily-unique IP address)

Harry SeventyOne harry71 at bk.ru
Thu Mar 27 11:35:32 UTC 2014


I've written this (ugly, unconfigurable) patch for Tor which is designed to allow hidden services more information about their users, by giving each inbound circuit its own temporary "IP address" in the 127.x range. This technique works on Linux (I've not tried it on anything else) and allows the application server to do some useful things which were previously difficult:

* Identify TCP connections coming from the same client, in a short space of time, for example, for diagnostic log analysis, identifying traffic trends
* Rate-limit operations coming from the same client, to defend against some types of DoS attacks
* Temporarily block abusive clients (at least, until they make a new Tor circuit)

More importantly, it can do this with an unmodified application-server (e.g. web servers typically have these features built-in) because it effectively "spoofs" the client ID as an ip-address, in the 127.x range.

The patch is currently not configurable (the feature can't be turned off). It only works with hidden services which are routed to "localhost". 

Request for comments. What do you think? 

Harry SeventyOne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140327/b0bf25d3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bindaddr.patch
Type: application/x-patch
Size: 5509 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140327/b0bf25d3/attachment.bin>

More information about the tor-dev mailing list