[tor-relays] Exit relay operators please help test #2667 branch

Roger Dingledine arma at torproject.org
Fri Jan 29 02:21:25 UTC 2021 

On Fri, Jan 29, 2021 at 12:34:28AM +0100, nusenu wrote:
> If dir auths (some or all) are willing to share (privately or publicly) the distribution of
> attack load (frequency, bandwidth, ...) by exit source IP in total or relative values
> I can correlate this data to strengthen a hypothesis that malicious/suspicious
> exits are involved to a greater extend than well-known long term exits.

I'll send you out-of-band a little snapshot of requests from relay
IP addresses -- 160k requests over a 24 minute period from yesterday
early evening.

At one point later in the evening I was getting several tens of millions
of requests per hour. That's when I started to realize that exit relay
operators were probably seeing this increased load too.

> That could mean that they are not (exclusively) attacking via but _from_ servers that also happen to
> run tor exits. 

Well, there are definitely other addresses -- the overload from last
week was non-relay addresses, and that's still going.

It's possible that there are exits that are generating more than their
"fair" share of requests. I didn't see that pattern obviously happening,
and confirming it would be complicated by the fact that some relays
probably have less or more congestion, which would cause the attacks to
be more efficient or less efficient through them.

We had a long debugging session in #tor-dev on irc last night, and there
will be more of those as we proceed. We've found a bunch of short-term
fragile distinguishers, which we could use to block the "bad" traffic
right now, but which wouldn't hold up if the bad traffic adapts a bit.

More broadly, we're trying to walk the fine line between doing our
analysis and patches in public (yay transparency), vs being aware
that whoever is doing this is probably reading these threads too. The
destination we want is that we have defenses that are robust to the
attacker knowing about them, but things will be a bit bumpy as we get
to that destination.

I'm also trying to make sure everybody continues to think about the
privacy side -- the directory authorities or fallbackdirs don't know
what paths clients build, or what destinations they reach with them,
but they can know at what timestamps some IP addresses seemed to be using
Tor. And like most things, that information is better private by default.

> From another angle this is an interesting precedence
> because the tor project uses it's access to protect dir auths
> from exit relays. Why is that interesting? Because no one else
> that gets attacked via exit relays has that "luxury" to "filter"
> it at the "source" (exits).

Actually, the #2667 patch protects all relays from exit relays. That is,
exit relays will decline to exit to known ORPorts or DirPorts of any
relay. There are two benefits here: (a) people can't do circuit-level
amplification attacks (happy to elaborate on these once the defense is
more in place), and (b) people can't create directory requests which
blend with the directory requests that the relay itself does.

These two issues are Tor-specific, and the second one is an especially
good argument I think, because the relay is reserving for itself the
ability to make its dir connections in a way that the destination can
know that the relay is the one making the connection. (Another option
would be to add more authentication to the connection, but most ways of
doing that are heavier-weight, not lighter-weight.)

--Roger

More information about the tor-relays mailing list