#25226: Circuit cell queue can fill up memory -------------------------------------------------+------------------------- Reporter: dgoulet | Owner: dgoulet Type: defect | Status: | needs_review Priority: Medium | Milestone: Tor: | 0.3.3.x-final Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: tor-cell, tor-relay, tor-dos, | Actual Points: 033-must, review-group-34, security, | 033-triage-20180320, 033-included-20180320 | Parent ID: | Points: Reviewer: arma | Sponsor: -------------------------------------------------+-------------------------
Comment (by arma): Replying to [comment:21 dgoulet]: > As an attempt, see branch: `bug25226_033_01`. > > I think we still need to figure out possibly a better default value or at the very least a consensus parameter that makes sense. Big picture review: I think we should proceed with doing this feature, even though we can't really pick a low threshold yet. I see three benefits for putting this feature in: * We should pick a really high threshold for the consensus, like 50000 cells or 100000 cells, which is essentially at the "oom attempt" level, and now we're killing circuits when they overload us a lot, without needing to wait until we're actually running out of memory, and without needing to have our reaction be a function of how much memory the relay has. I was originally going to say "I don't think there's any number where we should set this in the consensus right now on the main Tor network," but I think at the 50k or 100k cell mark, even if somebody is following the protocol, we could still kill the circuit "because fairness". * If things go to shit in the future and people start doing bad things to the network that we're not expecting right now, then this would be another available tool for letting relays defend themselves. Shipping it out now will mean it's in place if we decide we need it. * The test networks, where they know the client and website traffic behaviors, can set it to a much lower value, and use it for debugging when they hit the threshold. For that last one, there are really two things we want to understand here. First, what are the limits on acceptable behavior by "honest" users? That is, what is the threshold above which we say "no honest user would attempt that". And second, are there bugs or surprises in our current design that cause us to hit a higher threshold than we meant to? And it's that second one that a good network testing harness, plus this ticket, can discover. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25226#comment:27> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs