[tor-bugs] #16052 [Tor]: Hidden service socket exhaustion by opening many connections
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed May 20 12:55:15 UTC 2015
#16052: Hidden service socket exhaustion by opening many connections
------------------------+------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-hs dos SponsorR SponsorU
Actual Points: | Parent ID:
Points: |
------------------------+------------------------------------------
Comment (by asn):
OK, I tried to reproduce the attack. The naive attack of sending 10k
`RELAY_BEGIN` cells on a single circuit, seems to overwhelm Tor for a few
seconds, and it gets worse depending on the underlying application. I
imagine that with a web server, the whole system will be overwhelmed.
Then, I did a bit of testing with Yawning's branch. With the naive attack,
it seems that Yawning's branch works as intended (ignores superfluous
`RELAY_BEGIN` cells) but it doesn't stop the DoS. That is, the whole
system still goes at 100% CPU just because of cell processing (I think).
If we change Yawning's patch to tear down the circuit after the max number
of streams have been encountered, then it seems to work better.
We discussed making this behavior more configurable by having two
switches:
`HiddenServiceMaxStreams`: The maximum number of simultaneous streams on
an HS circuit.
`HiddenServiceMaxStreamsCloseCircuit`: If set, then when
`HiddenServiceMaxStreams` is triggered, we close the respective circuit.
If not set, we just ignore requests for superfluous streams. (Default:
off)
(The positive thing of not killing the circuit above, is that the circuit
will recover once the number of streams goes below the threshold)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16052#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list