#24902: Denial of Service mitigation subsystem ----------------------------------------------+---------------------------- Reporter: dgoulet | Owner: dgoulet Type: enhancement | Status: accepted Priority: Medium | Milestone: Tor: | 0.3.3.x-final Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: ddos, tor-relay, review-group-30 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ----------------------------------------------+---------------------------- Changes (by dgoulet):
* status: needs_revision => accepted Comment: Moving this back to "accepted" since a lot will change after IRC discussions. The new and hopefully simpler design is this now: 1. Have a circuit token bucket per-IP which is refilled with some value at some rate defined by consensus parameters. Remove token from bucket every time a CREATE is seen. If bucket goes down to 0, activate defense if the number of concurrent connection is above a certain threshold defined by a consensus parameter. 2. Detect high connection amount of connections per-IP and start closing connections for that IP if that reaches a too high threshold specified by a consensus parameter. 3. Add a torrc option and/or consensus parameter to refuse client connection with ESTABLISH_RENDEZVOUS or in other words, an anti tor2web option at the relay. These have been observed to be quite problematic as people are running hundreds (if not thousands) of tor2web clients scanning the onion space. As collateral damage, it is loading relays with connections for rendezvous circuits. We could easily integrate that option with a certain threshold of parallel connection like "if I see 10 conn on that IP doing RDV, block". I'm working on the new code for this. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24902#comment:14> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs