[tor-dev] Proposal xxx: Filtering malicious rendezvous points at hidden service server side

Roger Dingledine arma at mit.edu
Sat Jan 23 22:10:16 UTC 2016

On Sat, Jan 23, 2016 at 11:38:00PM +0200, s7r wrote:
> The attacker is also a Sybil (holds an unknown % of the bandwidth in
> the Tor network). By making the hidden service server build many
> circuits to his evil rendezvous points, the attacker gets a high
> probability that the hidden service server will eventually pick his
> evil relays in a circuit, so the attacker will trivially perform a
> successful hidden service guard discovery attack or, with more luck,
> discover the real location of the hidden service server.

That 'more luck' would involve becoming the guard of the hidden
service, yes? I think at that point it doesn't matter whether
the attacker controls the rendezvous point.

> The hidden service server can only defend itself by building a 3 hop
> circuit to the rendezvous point, but in practice this is not always
> enough.

A few more details about "this is not always enough" would be helpful
here. In particular, is it not always enough because sometimes even 3
hops is not safe enough, or not always enough besides sometimes making
a 3-hop circuit isn't what the HS wants to do? Or something else?

> In simple words, we count and keep track of how many rendezvous
> circuits a hidden service server built and to which rendezvous points.
> Then, based on the weight (middle probability fraction) of each
> rendezvous point, we determine if one was insanely overpicked by
> clients.

A) Can I deny service to a hidden service by methodically pretending to
attack it from each honest relay, one at a time, causing it to become
upset at each of these relays?

B) Can I fool your reputation system by raising the total number of
rendezvous attempts that I attempt, in effect making the hidden service
feel more popular so it's not alarmed as much by any single rendezvous
point? I could imagine ways to launch a rendezvous attempt that are quite
cheap on the part of a client who has no plans to follow through.

> Even if accidentally (low chances) an innocent relay will be banned,
> this will be something local to the hidden service server. It won't
> affect that relay at all, nor how other client or hidden service
> servers treat that relay. It has nothing to do with the network wide
> consensus as well.
> A honest client will always retry with a different rendezvous point,
> so honest clients should not experience reachability issues.

Actually, I don't think this is client behavior right now. (It could
be if somebody changed the design of course.)


More information about the tor-dev mailing list