[tor-dev] Fwd: Re: Onion Service - Intropoint DoS Defenses

George Kadianakis desnacked at riseup.net
Mon Jul 8 10:14:32 UTC 2019 

juanjo <juanjo at avanix.es> writes:

> -------- Forwarded Message --------
> Subject: 	Re: [tor-dev] Onion Service - Intropoint DoS Defenses
> Date: 	Thu, 4 Jul 2019 20:38:48 +0200
> From: 	juanjo <juanjo at avanix.es>
> To: 	David Goulet <dgoulet at torproject.org>
>
>
>
> These experiments and final note confirm what I thought about this rate 
> limiting feature from the start: it is missing important parts. Ok, you 
> can protect the network a little and the HS, but the general 
> availability is not affected so it actually does not help for that.
>
> I wanna make a proposal including many things at the same time, but I 
> don't have much time to follow the guidelines to make a official 
> proposal. Maybe in some weeks?
>

Hello!

Ideally I would make one proposal for each of the things you care
about. Doing one huge proposal with all the things will make it less
likely for things to be done, since someone will disagree about one
small part of the proposal, and it will block the whole proposal
altogether.

> Again, I repeat: things that should be done now:
>
> -Authenticated rend signature. This would help a lot I think.
>

Current attacks do not spoof rendezvous points, they actually do make
the circuits, so I don't think that would help a whole lot. Still future
attacks might, so I agree this is worth doing (#25066 needs more
thinking and a proposal).

> -Mid-term: PoW for the client when reaching the 305prop limit instead of 
> denying access? IDK, all always configurable.
>

Plausible.

> -Deprecate clients or allow the Hidden Service to configure the IP to 
> allow access for old version clients (not supporting new antiDoS 
> features) or not. If we allow old version without protections, all 
> security measures are useless.
>

Plausibl-ish.

> And just a new idea: what about make the rotation of IP dynamic based on 
> this prop305 values? + time based rotation:
> One of the goal for rotation was defending against correlation attacks: 
> if we set a lower limit we have a potential DoS (right now), if we set 
> it high we have a potential correlation attack, bigger surface.
> What about we join time based rotation (ex. 24 hours) + or limit reached 
> based on the prop305 values.
>

Please see #26294 which is about to be merged upstream and will remove
some more useless parameters from intro point rotation. After #26294,
intro points will only rotate based on time.

What is the correlation attack you are worrying about? And why do you
think that rotating more frequently will make it safer? Usually rotating
less frequently helps against attacks by ensuring that it's less likely
to cycle into bad nodes.

Cheers! :)

More information about the tor-dev mailing list