[tor-onions] DDoS, Single Onion Services and IP Addresses
Roger Dingledine
arma at mit.edu
Fri Feb 2 04:48:34 UTC 2018
On Fri, Feb 02, 2018 at 02:23:24PM +1100, teor wrote:
> For IP addresses with 3 or more connections to a single guard, the guard imposes
> a limit of 1 circuit every 3 seconds, with a 90 circuit burst allowance.
3 circuits every 1 seconds, actually. Think of it like a token bucket
with a size of 90 circuits and a refill rate of 3 per second.
> If it happens, and if they build more than 90 circuits to the same relay,
> the defence will trigger. Then both instances will try another relay.
I think Tor clients who have all their create cells responded to with
destroy cells won't abandon that relay. That is, getting a destroy cell in
response to a create cell is not an indication that the relay is broken,
so it won't convince us to stop trying that one.
That "feature" is actually part of the calculus here, since we want to
think very carefully about how our choices shape the behavior of the
millions of enthusiastic high-bandwidth Tor clients that are overwhelming
the network.
> > Because the circuit-creation limit is applied at the guard, wouldn???t this affect hidden sevices instead of single onion services?
>
> It will only trigger if hundreds of guard-using clients are behind a single IP address.
I expect a popular onion service that doesn't use guards and that runs
many Tor instances on the same IP address will trigger the defense
often: because it doesn't use guards, each new circuit it builds in
response to a rendezvous request will pick an entry point at random,
and if some of the conversations with clients last for a while, then
outgoing connections will accumulate, eventually reaching the threshold
for each relay to decide that that address is being unfair.
--Roger
More information about the tor-onions
mailing list