[tor-dev] Defending against guard discovery attacks by pinning middle nodes
George Kadianakis
desnacked at riseup.net
Sat Sep 13 14:34:47 UTC 2014
Michael Rogers <michael at briarproject.org> writes:
> On 13/09/14 14:07, George Kadianakis wrote:
>> a) To reduce the ownage probabilities we could pick a single
>> middle node instead of 6. That will greatly improve guard
>> discovery probabilities, and make us look like this:
>>
>> HS -> guard -> middle -> <exit> -> RP (where <exit> is chosen from
>> the set of all relays)
>>
>> However, that will definitely degrade HS performance. I'm not sure
>> if Tor relays are able to handle all that concentrated HS traffic.
>> Specifically, the guards/middles that get picked by popular HSes
>> will get flooded with traffic that is never accounted for in Tor's
>> load balancing equations (since HS traffic is not counted) and they
>> will get hammered both by HS traffic and regular Tor traffic.
>
> Hi George,
>
> Could you explain what it means to say that HS traffic isn't counted
> in the load balancing equations? Why is that so, and can it be changed
> if that would allow a more secure HS design?
>
Hello Michael,
this is an area that I don't really understand so I might be totally
wrong, but Tor has the concept of bandwidth weights:
https://gitweb.torproject.org/torspec.git/blob/ebc5a935ee4aa0c123829706671a3f43da82f11f:/path-spec.txt#l207
where directory authorities calculate how much Guard/Middle/Exit
bandwidth is available, and then they specify some parameters that
clients use to load balance better. For example, if there is not much
Guard bandwidth, clients will be asked to use Guards mainly for Guard
purposes and not for Middle/Exit purposes.
Now that we have reduced the number of guard nodes to 1, there are
some HSes that receive lots of traffic and are hidden behind a single
guard. That guard is probably receiving/pushing quite some HS traffic
that is not really considered during client load balancing. So normal
clients will keep on pushing that node to become their guard, and at
the same time HS clients will push that node for HS traffic.
If we now pin both the guard and the middle (as discussed in my post),
now middle nodes that protect popular HSes, will also get a surge of
HS traffic that is not accounted by Tor's bandwidth weight load
balancing.
I might be wrong in all the above.
More information about the tor-dev
mailing list