#25226: Circuit cell queue can fill up memory
-------------------------------------------------+-------------------------
Reporter: dgoulet | Owner: dgoulet
Type: defect | Status:
| needs_review
Priority: Medium | Milestone: Tor:
| 0.3.3.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-cell, tor-relay, tor-dos, | Actual Points:
033-must, review-group-34, security, |
033-triage-20180320, 033-included-20180320 |
Parent ID: | Points:
Reviewer: arma | Sponsor:
-------------------------------------------------+-------------------------
Comment (by arma):
Replying to [comment:21 dgoulet]:
> As an attempt, see branch: `bug25226_033_01`.
>
> I think we still need to figure out possibly a better default value or
at the very least a consensus parameter that makes sense.
Big picture review: I think we should proceed with doing this feature,
even though we can't really pick a low threshold yet.
I see three benefits for putting this feature in:
* We should pick a really high threshold for the consensus, like 50000
cells or 100000 cells, which is essentially at the "oom attempt" level,
and now we're killing circuits when they overload us a lot, without
needing to wait until we're actually running out of memory, and without
needing to have our reaction be a function of how much memory the relay
has.
I was originally going to say "I don't think there's any number where we
should set this in the consensus right now on the main Tor network," but I
think at the 50k or 100k cell mark, even if somebody is following the
protocol, we could still kill the circuit "because fairness".
* If things go to shit in the future and people start doing bad things to
the network that we're not expecting right now, then this would be another
available tool for letting relays defend themselves. Shipping it out now
will mean it's in place if we decide we need it.
* The test networks, where they know the client and website traffic
behaviors, can set it to a much lower value, and use it for debugging when
they hit the threshold.
For that last one, there are really two things we want to understand here.
First, what are the limits on acceptable behavior by "honest" users? That
is, what is the threshold above which we say "no honest user would attempt
that". And second, are there bugs or surprises in our current design that
cause us to hit a higher threshold than we meant to? And it's that second
one that a good network testing harness, plus this ticket, can discover.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25226#comment:27>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
