[tor-dev] Constraining Ephemeral Service Creation in Tor
bancfc at openmailbox.org
bancfc at openmailbox.org
Thu Sep 29 20:28:36 UTC 2016
On 2016-09-29 08:38, teor wrote:
>> On 28 Sep 2016, at 07:59, bancfc at openmailbox.org wrote:
>>
>> Hello, We are working on supporting ephemeral onion services in Whonix
>> and one of the concerns brought up is how an attacker can potentially
>> exhaust resources like RAM. CPU, entropy... on the Gateway (or system
>> in the case of TAILS) by requesting an arbitrary number of services
>> and ports to be created.
>>
>> In our opinion, options in core Tor for setting a maximum number of
>> services and ports per service seems the right way to go about it.
>> Also rate limiting the requests (like you do with NEWNYM) would be a
>> sensible thing to do.
>>
>> What are your opinions about this?
>
> I think this would be much better implemented in a control port filter.
> There are several existing control port filters.
> Do they have this feature?
None of them do.
>
> Alternately, you should limit resources to the tor process using OS
> facilities. If you set an open file limit, this will constrain the
> number of hidden services.
> If it doesn't, or tor behaves badly when adding a hidden service with
> few file descriptors, file a bug against tor.
Thanks for the tip.
>
> T
>
> --
> Tim Wilson-Brown (teor)
>
> teor2345 at gmail dot com
> PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
> ricochet:ekmygaiu4rzgsk6n
> xmpp: teor at torproject dot org
>
>
>
>
>
>
>
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
More information about the tor-dev
mailing list