[tor-relays] DoS attacks on multiple relays
teor
teor2345 at gmail.com
Fri Dec 8 21:25:55 UTC 2017
> On 9 Dec 2017, at 03:35, x9p <tor at x9p.org> wrote:
>
> Hidden Service operators, and private guards operators protecting yours
> Hidden Services, if you believe it is better safe than sorry, I strongly
> advise on blocking the above IP addresses in your firewall, while they are
> not pulled out of the network.
There's no evidence these guards are malicious. They might just be run
by an operator who doesn't know to set ContactInfo and MyFamily.
(And MyFamily is irrelevant for relays in a /16, anyway.)
We are working on vanguards in 0.3.3 to address onion service guard
discovery issues like this. That way, we change the entire network so
onion services are safer. Changing just a few makes them stick out.
By "private guards" do you mean "bridges"?
That would be a very bad idea: it would make the bridge and its onion
services stand out within minutes or hours on the network, because
each circuit gets a different middle node, and the nodes would not
be evenly distributed.
If you block a guards on an onion service, it will look different, but that
might be unnoticeable for a few months. (More precisely, it's safe in
proportion the guard rotation period, divided by the number of related
onion services blocking those guards, divided by the consensus weight
fraction of blocked guards. We don't expect that people will do this
calculation themselves, which is why we say "don't do that".)
But we really don't recommend people block guards or set EntryNodes
on an onion service. It's quite risky long-term.
T
More information about the tor-relays
mailing list