[tor-dev] Patch: Hidden service: use inbound bind-address based on circuit ID (effectively giving each circuit a temporarily-unique IP address)

[Harry SeventyOne]

 H

Mon, 31 Mar 2014 12:38:01 -0400 от Nick Mathewson <nickm at alum.mit.edu>:
>On Thu, Mar 27, 2014 at 7:35 AM, Harry SeventyOne < harry71 at bk.ru > wrote:
>> Hi,
>>
>> I've written this (ugly, unconfigurable) patch for Tor which is designed to
>> allow hidden services more information about their users, by giving each
>> inbound circuit its own temporary "IP address" in the 127.x range. This
>> technique works on Linux (I've not tried it on anything else) and allows the
>> application server to do some useful things which were previously difficult:
>>
>> * Identify TCP connections coming from the same client, in a short space of
>> time, for example, for diagnostic log analysis, identifying traffic trends
>> * Rate-limit operations coming from the same client, to defend against some
>> types of DoS attacks
>> * Temporarily block abusive clients (at least, until they make a new Tor
>> circuit)
>>
>> More importantly, it can do this with an unmodified application-server (e.g.
>> web servers typically have these features built-in) because it effectively
>> "spoofs" the client ID as an ip-address, in the 127.x range.
>>
>> The patch is currently not configurable (the feature can't be turned off).
>> It only works with hidden services which are routed to "localhost".
>>
>> Request for comments. What do you think?
>
>Hi, Harry!
>
>I like the idea of this feature, though really only the first
>application makes sense to me.  (The other two seem like they'd just
>move DoS from one part of the protocol stack to another.)  Are there
>other applications here, or ? I'm not completely sure what applications exist. My experiments have shown that it's of some value in tracking clients, it certainly makes it easier to interpret web server access-logs.

The DoS angle only works against certain types of DoS, including perhaps some unintended DoS - such as robots or mirroring software which hits the server too fast, and needs to be rate-limited.

I can see that a lot of work would probably be requires to make it work for the trunk of Tor, including the IPv6 work. I'm not completely sure whether I could do that.

I wonder if there is a better proxy for the "client temporary identity" than circuit-id, and where we can get it from (in Tor's internal data-structure)?

Circuit IDs certainly do get reused, but in my experience, not very quickly on low-traffic sites. This makes the logs make more sense, certainly to humans and possibly to log-analysis software.

>* It's better to do a patch like this against git master; Tor 0.2.4 is
>not going to get any new features.
But for users who want to try out the patch "right now",  possibly on a production server, a patch against the stable release is more useful :)

Thanks for your helpful comments!

Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20140331/7214ff5b/attachment.html>