[tor-relays] max TCP interruption before Tor circuit teardown?

Gordon Morehouse gordon at morehouse.me
Sun Oct 20 17:44:39 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dan Staples:
> 
> 
> On 10/20/2013 12:42 PM, Gordon Morehouse wrote:
>> If a tor relay has a circuit built through a peer, and the peer 
>> starts dropping 100% of packets, how long will it take before
>> the relay with the circuit "gives up" on the circuit and tears it
>> down? I want to set my temp ban time *below* this timeout.  Thus,
>> unlucky peers that were caught in the filter and have circuits
>> already built through the relay they will experience a brief
>> performance degradation, but they won't lose their active
>> circuits through the overloaded relay, and in the meantime
>> hopefully the overload condition is becoming resolved.
> 
> Might it be better to actually cause the connecting client to tear 
> down the circuit instead of degrading performance? If your relay
> is already being swamped by circuit-creation requests, it might be
> better to cause clients to build new circuits, hopefully not using
> your relay, no?


My reasoning here is that the Pi can push at least 2.5 Mbps of traffic
comfortably.  If a Pi-based relay gets the Stable flag, and peers
start building long-lived circuits through it (correct me if my
understanding is weak please, BTW), the traffic flowing through those
existing circuits isn't doing the most loading of the relay; it's the
SYNs/circuit creation requests, and thus, those are what I want to shed.

The issue is that a peer with circuits which already exist may send
some SYNs at the wrong time and get banned - I'd prefer to temporarily
degrade service than to force that peer to tear down the circuit,
because the circuit itself isn't causing much load.  The ban of a peer
with pre-existing circuits is collateral damage, essentially, and I'd
like to limit that.

Let's pretend (I have no idea) that Tor will give up after 90 sec if a
circuit's peer starts dropping all packets.  If I choose only to drop
packets for anyone caught in the short-term ban filter for 75 seconds,
that's probably a pretty strong signal to peers looking to build *new*
circuits to try elsewhere, but the peers with existing circuits will
be degraded for 75 seconds and then get to keep their active circuits.
 If the storm abates or even slows, they may not see this degradation
much at all.

I'm still waiting for another "storm" to test the 60 sec findtime / 90
sec bantime guesses that I made (and just pushed to my repo, BTW).
Every time my relay crashes due to a storm, it takes me that much
longer to get Stable back, and the storms are almost nonexistent until
you have the Stable flag in my observation.

Best,
- -Gordon M.

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJSZBaGAAoJED/jpRoe7/ujx6UH/AytoSztsFBgbV4rB47wSnTo
oM0AyDa08jTWcwtnMVpaTVg0v57a6JdCMeA1HLi16XqRolor+WYpQBUL56nmxLge
yq4/jNJn7zDLUKJVtNY3mzWF8ZxdERqkHXFjsif6JlenCtLSpZarmNCO9YDGuror
ZbYlJYMAFxeZN/+OUh0ve1ANIXiU7uHXGNm9j3cgkAuWHZpRbN5os3GCxirTMxEi
A4T3JzIbj6QwFGs4QRf0yDqStRm43esTIT7MtQo5G++/d+NHO6LchTdQ+UWvIcXN
AY599l8izwCabRWtqWGqJ8FN6a87cKD3cN4IOZVQwNMNqT7CzHYs0hTQ5AOIclo=
=slcD
-----END PGP SIGNATURE-----

More information about the tor-relays mailing list