[tor-dev] [PATCH] Defences against the recent hidden service DoS attacks

Yawning Angel yawning at schwanenlied.me
Thu May 21 15:22:08 UTC 2015


Some minor notes...

On Wed, 20 May 2015 20:03:38 +0100
George Kadianakis <desnacked at riseup.net> wrote:
> == Instructions ==
> Our patch is not in an official Tor release yet, so you will need to
> use an unofficial git branch:
>     https://trac.torproject.org/projects/tor/ticket/16052#comment:18

The configuration parameters are now in master (aka
It's likely that a 0.2.6.x backport will happen, but feedback would
play an instrumental part in ensuring that happens (either as a reply,
or by commenting on the trac ticket).

> Next, an operator who wants to deploy this experimental fix, should
> first figure out how many simultaneous TCP connections a normal client
> would establish. For example, an IRC server would probably not need
> more than 1 simultaneous connection per user. A web server, depending
> on the use, might need something between 6 to 12 (?) simultaneous
> connections.

Per discussion with the Tor Browser developers, I have been told that 6
is the correct number for http content, and that if there are any more
streams associated with a Tor Browser user accessing a site, it would
be a Tor Browser bug.

Other browsers/protocols may require a higher or lower limit.  A
warning is logged periodically (rate limited to avoid log spam/clutter)
if circuits exceed the limit, so adjusting the parameter should be
relatively straight forward.


Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150521/6d1a5cd5/attachment.sig>

More information about the tor-dev mailing list