[tor-talk] Help setting up tor dos defense

s7r s7r at sky-ip.org
Tue Jan 7 13:38:46 UTC 2020

David Goulet wrote:
> Tor relays supporting the HS DoS defense (intro points) at this point in time
> are not in majority. Basically >= relays do support it which
> currently represents ~36% in bandwidth weight so roughly 1/3 of the network.
> If a service enables the defenses (like you did above), it will NOT
> specifically pick intro points supporting the defenses but will normally pick
> intro points as it did before and _if_ they happen to support the HS defenses
> (via protocol version "HSIntro=5"), then they are used. Yes, I agree, not
> ideal but there is a valid reason.
> This is in part to prevent partitionning onion services using the HS defenses
> to a specific set of relays (those who support it). Bottom line is: if the set
> of relays that can only be used by an onion service is reduced, attack surface
> gets bigger.
> As the relay in the network upgrades to latest stables, the network naturally
> move towards supporting these defenses in majority. This is another
> _extremely_ important reason why relay operators should stay up to date with
> their tor application so the network can be more agile in deploying defenses
> and improvements.

Sure - the best move to prevent onion services partitioning using this
HS defense. However, there is something unclear I'd like to understand.
From the manual:

**HiddenServiceEnableIntroDoSDefense** **0**|**1**::
Enable DoS defense at the intropoint level. When this is enabled, the
rate and burst parameter (see below) will be sent to the intro point
which will then use them to apply rate limiting for introduction request
to this service.

The introduction point honors the consensus parameters except if this is
specifically set by the service operator using this option. The service
never looks at the consensus parameters in order to enable or disable
this defense. (Default: 0)

So the service hosting the HS does not look at this consensus param.
Right now e do not have a consensus  param for this at all, but what
will happen if the directory authorities will vote this consensus param
as HiddenServiceEnableIntroDoSDefense 1? In this case, the introduction
points will see that, and use the default values of 25 introductions per
second with a burst of 200 / sec. In this case, if a HS operator wants
to _disable_ this protection totally, he should set
HiddenServiceEnableIntroDoSRatePerSec 0 which according to the manual:

"If this option is 0, it is considered infinite and thus if
**HiddenServiceEnableIntroDoSDefense** is set, it then effectively
disables the defenses."?

Or should he just set HiddenServiceEnableIntroDoSDefense 0, which is
already 0 by default for _services_?  (this is the confusing part).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20200107/71995071/attachment.sig>

More information about the tor-talk mailing list