[tor-relays] cases where relay overload can be a false positive

Mike Perry mikeperry at torproject.org
Mon Feb 7 19:30:42 UTC 2022

On 1/23/22 5:28 PM, s7r wrote:
> Mike Perry wrote:
>> We need better DoS defenses generally :/
> Of course we need better defense, DoS is never actually fixed, no matter
> what we do. It's just an arms race the way I see it.

Well, I am extremely optimistic about 

Despite random internet hate on PoW, in the context of onion service DoS 
(which is our main cause of overall network DoS and actual overload), it 
looks very likely to be an effective option.

Prop325 describes how we can use PoW to build a system that auto-tunes 
itself such that only circuits with a sufficient level of PoW succeed. 
This means that we won't use PoW at all, unless it is needed (ie: only 
require the level of PoW needed to jump the queue of DoS requests, and 
advertise this level in the service descriptor).

In this way, an attack can be made considerably more expensive (and most 
importantly: less profitable) for an attacker, with the only effect that 
clients wait a bit longer to connect, to solve the PoW, and only while 
an attack is ongoing. If this system is effective enough, DoS-for-ransom 
attacks should vanish due to low profitability. And because the system 
auto-tunes, we should also no longer need PoW at all, after it is 
deployed, because of this deterrent effect. Win-win-win.

Jamie Harper did an implementation of this proposal:

David, asn, and I did a prelim code review of that branch, and while it 
needs more unit tests, and we need to reduce some of its external 
dependencies, it was of surprisingly high code quality. Unfortunately, 
Jamie graduated and moved on to other things.

> But if we reduce the consensus weight or assume at network level that 
> relay X should be used less because of a super tiny percent of dropped > circuits we could end up in wasting network resources on one side, and
> on the other side, maybe granting better probability chances for evil
> relays that we have not discovered yet to grab circuits. A consensus 
> parameter is of course appropriate here, maybe 20% is a big threshold
> and should be less, but right now even 0.1% is reported and treated as
> overload, IMO this is not acceptable.

I generally agree here. For this, I filed:

An important detail here is that ntor drops *are also* a form of that 
same kind of bias away from attacked relays, and toward evil relays.

If a relay is under such heavy DoS such that it is already dropping X% 
of ntors, it is *already* being forced to not carry X% of circuits. So, 
at minimum, it is reasonable to give it X% less traffic. However, this 
reduction must also be subject to the limits of not stripping the guard 
flag away just for overload/DoS, as I mentioned in my previous post.

At any rate, before we even consider using overload-general for relay 
weighting, we first need to transition the bwauths to use congestion 
control, and monitor how that system behaves wrt reducing overload, 
before we also try to add in overload-general. So it will be a while, 
and we will have time to thing about and analyze this stuff further.

Mike Perry

More information about the tor-relays mailing list