[tor-relays] max TCP interruption before Tor circuit teardown?

Sun Oct 27 19:29:33 UTC 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

David Serrano:
[snip]
> On 2013-10-20 09:42:01 (-0700), Gordon Morehouse wrote:
>> 
>> First, during a SYN flood type overload, some peers which have 
>> *existing* circuits built through the relay and are sending SYNs
>> as normal traffic, will stochastically get "caught" in the filter
>> and banned for a short time.  If these hosts already have
>> circuits open through the relay which is overloaded, I would
>> prefer to preserve those circuits rather than break them.  My
>> defensive strategy versus overload here is to throttle new
>> circuit creation requests, *not* to break existing circuits.
>> 
>> So here's the $64,000 question:
>> 
>> If a tor relay has a circuit built through a peer, and the peer
>> starts dropping 100% of packets, how long will it take before the
>> relay with the circuit "gives up" on the circuit and tears it
>> down?  I want to set my temp ban time *below* this timeout.
>> Thus, unlucky peers that were caught in the filter and have
>> circuits already built through the relay they will experience a
>> brief performance degradation, but they won't lose their active
>> circuits through the overloaded relay, and in the meantime
>> hopefully the overload condition is becoming resolved.
> 
> I can think of two approaches to your problem:

I've implemented these and I'd really love for anyone who's great at
iptables to sanity-check my rules[1] because I am an iptables relative
noob.

I'm also quite happy to report that my Raspberry Pi node weathered a
pretty intense SYN flood (20-30 SYNs per sec, I'm going to post a log
deconstruction of the event with graphs if possible) with the old
rules.  It didn't weather it *well*, specifically fail2ban got bogged
down and stopped working after a while while chewing up half the
available CPU cycles, but the node survived without crashing.

There are stories on the Pivotal project tracker[2] for The Cipollini
Project[3] regarding these problems - I luckily happened to catch the
SYN flood ("circuit creation storm") event just as it really got
started and was able to observe it in real time.

1. http://v.gd/1TV9mz (link to file on github)

2. https://www.pivotaltracker.com/s/projects/917796

3. https://github.com/gordon-morehouse/cipollini

Best,
- -Gordon M.

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJSbWmcAAoJED/jpRoe7/ujvboH/RHEqHP/JRI8T5UNphT9Xvmh
KtYZvsNGRbveSBCNbPZSCyoGo6nh29grIOvSaAIaU0F2q2NRyZLrWjgnmIVlRiNi
J8QK0fDbguzhhici5bmRX5DtaQcC/Uq8UX3x1uNYxTQ3z70OAomLB+qlc1OzGreo
+3tyLb9vSAY/5s84KD2j/dBlwGF6AJ9ZuQyN5Pj+O4Z1IlCACEfQKhEPKDEg8PEV
WURXHxkbJWQHBbzMN5ls4qFoOU/iqOOtEagpXWrV4fhL737GSqb+owQEtV2TaN+X
HNluIj+B4UY45ScmuBk52QDAGKWNLhYFS3RuCraCX4DCCkMtVk2dTtbzIO5xI9U=
=q1Oo
-----END PGP SIGNATURE-----