H Mon, 31 Mar 2014 12:38:01 -0400 от Nick Mathewson <[email protected]>: >On Thu, Mar 27, 2014 at 7:35 AM, Harry SeventyOne < [email protected] > wrote: >> Hi, >> >> I've written this (ugly, unconfigurable) patch for Tor which is designed to >> allow hidden services more information about their users, by giving each >> inbound circuit its own temporary "IP address" in the 127.x range. This >> technique works on Linux (I've not tried it on anything else) and allows the >> application server to do some useful things which were previously difficult: >> >> * Identify TCP connections coming from the same client, in a short space of >> time, for example, for diagnostic log analysis, identifying traffic trends >> * Rate-limit operations coming from the same client, to defend against some >> types of DoS attacks >> * Temporarily block abusive clients (at least, until they make a new Tor >> circuit) >> >> More importantly, it can do this with an unmodified application-server (e.g. >> web servers typically have these features built-in) because it effectively >> "spoofs" the client ID as an ip-address, in the 127.x range. >> >> The patch is currently not configurable (the feature can't be turned off). >> It only works with hidden services which are routed to "localhost". >> >> Request for comments. What do you think? > >Hi, Harry! > >I like the idea of this feature, though really only the first >application makes sense to me. (The other two seem like they'd just >move DoS from one part of the protocol stack to another.) Are there >other applications here, or ? I'm not completely sure what applications exist. >My experiments have shown that it's of some value in tracking clients, it >certainly makes it easier to interpret web server access-logs.
The DoS angle only works against certain types of DoS, including perhaps some unintended DoS - such as robots or mirroring software which hits the server too fast, and needs to be rate-limited. I can see that a lot of work would probably be requires to make it work for the trunk of Tor, including the IPv6 work. I'm not completely sure whether I could do that. I wonder if there is a better proxy for the "client temporary identity" than circuit-id, and where we can get it from (in Tor's internal data-structure)? Circuit IDs certainly do get reused, but in my experience, not very quickly on low-traffic sites. This makes the logs make more sense, certainly to humans and possibly to log-analysis software. >* It's better to do a patch like this against git master; Tor 0.2.4 is >not going to get any new features. But for users who want to try out the patch "right now", possibly on a production server, a patch against the stable release is more useful :) Thanks for your helpful comments! Harry
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
