#33156: DoS subsystem should compare IPv6 /64 -------------------------+------------------------------------------------- Reporter: teor | Owner: (none) Type: defect | Status: new Priority: Medium | Milestone: Tor: unspecified Component: Core | Version: Tor/Tor | Keywords: security-?, tor-relay, tor-dirauth, Severity: Normal | dos Actual Points: | Parent ID: Points: 2 | Reviewer: Sponsor: | -------------------------+------------------------------------------------- s7r writes:
> Our internal DoS defense subsystem should also treat prefixes instead of > addresses, because right now with a client with a /64 public IPv6 prefix > assigned to it I could hammer via IPv6 guards without triggering the DoS > defense. https://lists.torproject.org/pipermail/tor-dev/2020-February/014144.html We could make this change by: * only putting the first /64 of each IPv6 address in the filter list, and * only checking the first /64 of each new IPv6 connection -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33156> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs