[tor-relays] max TCP interruption before Tor circuit teardown?
Gordon Morehouse
gordon at morehouse.me
Sun Oct 27 21:32:55 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
krishna e bera:
> On 13-10-20 12:42 PM, Gordon Morehouse wrote:
>> First, during a SYN flood type overload, some peers which have
>> *existing* circuits built through the relay and are sending SYNs
>> as normal traffic, will stochastically get "caught" in the filter
>> and banned for a short time. If these hosts already have
>> circuits open through the relay which is overloaded, I would
>> prefer to preserve those circuits rather than break them. My
>> defensive strategy versus overload here is to throttle new
>> circuit creation requests, *not* to break existing circuits. ...
>> If a tor relay has a circuit built through a peer, and the peer
>> starts dropping 100% of packets, how long will it take before the
>> relay with the circuit "gives up" on the circuit and tears it
>> down? I want to set my temp ban time *below* this timeout.
>> Thus, unlucky peers that were caught in the filter and have
>> circuits already built through the relay they will experience a
>> brief performance degradation, but they won't lose their active
>> circuits through the overloaded relay, and in the meantime
>> hopefully the overload condition is becoming resolved.
>>
>> Is there such a timeout? There must be. Can someone tell me
>> what it is?
>>
>
> Would something like an conntrack-tools help? Maybe it provides
> more direct connection control than trying to game the timings.
> http://conntrack-tools.netfilter.org/
Probably would, though it might be faster to slink over to tor-dev and
ask, get a dev to notice in here (which is what I'm trying to do ;)),
or dig through the source code myself - I'm not a C programmer but I
can read it okay.
> Also, to what extent would/could the Tor network (or a small group
> of nodes) count as a "high availability cluster" for entry
> firewalling purposes? Would clustering help protect against timing
> attacks on relays or hidden services?
You mean, if you have a circuit, sending some bytes of I/O over entry
node A, some over entry node B, etc? Not quite sure what you're asking.
> (I lack expertise or resources to answer any of the above, but
> reading Gordon Morehouse's project got me searching and curious.)
I'm glad it's doing somebody some good, or taking up time that
could've been otherwise wasted on Buzzfeed or something ;) Not that
you'd do that. ;)
Best,
- -Gordon M.
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJSbYaFAAoJED/jpRoe7/ujqNkH/iq89otAE4S6VUmUPrgFlSSg
dLisPP6LiAPMT6+dwCJ/Lg+YdHuzOfuq428+fDyel7Aemg6J3kPPBDDnKp1kMbCX
39pM0RFCKRsj6LWQTSsOtFQfTbljDBhkhf/HscLkQv76myRVeA9zqh1mxwUGmpKx
EXLC2bBY+tFZeuSx3/7a9IXt4JOSuuBIR+JPQEwigTfHtWSBO/JUuxIWXlVvASqZ
26GHqMeWJm7jPgv3PPt3CbeZpMlufqEZ+RGyCQLXXnNdU5Fs2EUy2C5N4Y9RsL8z
9tGJnEMhm6DQW46kR1bLboW7VrJSHvDPVIHptbfxZg0uDAUaAOFtOADgUWCqmXY=
=Wy0W
-----END PGP SIGNATURE-----
More information about the tor-relays
mailing list