[tor-dev] Rate limiting of a hidden service

Evan d'Entremont evan at evandentremont.com
Wed Sep 30 16:15:15 UTC 2015

I developed a scheme to rate limit hidden services using proof-of-work;


The server sends a semi-prime to the client, which then factors it. The
client submits the factored primes back with the next request. The 'rate'
can be throttled by sending a larger or smaller semiprime. The client has
to spend time factoring that number, and the request can simply be dropped
if the factored primes aren't correct. It would be effective to hinder
brute force attacks on a login screen at the very least.

Running as a script on the page isn't ideal as a lot of people disable
javascript. There's always the option for a fallback where you calculate
the primes yourself and submit them, but I feel like it would be better
implemented as part of tor itself.

Just throwing this out there for thoughts / feedback / opinions on
rate-limiting hidden services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150930/a189ca32/attachment.html>

More information about the tor-dev mailing list