how many connections are legitimate to a DirPort?

Roger Dingledine arma at mit.edu
Thu Jan 17 06:34:48 UTC 2008


On Wed, Jan 16, 2008 at 08:18:28PM -0600, Scott Bennett wrote:
>      How many simultaneous connections from a tor client to a directory
> mirror's DirPort are legitimate?  Is more than a single such connection
> necessary, and if so, why?

Here are three cases where it occurs legitimately:

a) Sometimes there are multiple Tor clients natted behind a single
IP address.

b) Since Squid doesn't like URLs >= 4096 bytes, and you never know where a
transparent squid proxy will pop up, Tor limits each directory request to
96 descriptors. So it's possible that a Tor client that's just starting
up will want more than 96 descriptors from you, in which case it will
use multiple (parallel) connections.

c) If a Tor client has a connection, but it's going slowly, and not long
after it learns that it wants to fetch some more descriptors (say it gets
a new networkstatus concensus, or some other directory request fails),
and it picks you for the next fetch.

I'll let you know if I think of others. But these are some already. :)

You could make the case that we should queue requests for a given relay
so we only ask them one at a time. Maybe one day we'll fix the code so
it does that more reliably; but that's not on the list for 0.2.0.x.

I'm not sure what is causing the DirPort DoSes that some people have been
seeing. More details (e.g. what they're asking for) would be helpful in
tracking those down.

Hope that helps,
--Roger



More information about the tor-talk mailing list