[tor-bugs] #24902 [Core Tor/Tor]: Denial of Service mitigation subsystem

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jan 23 10:14:49 UTC 2018 

#24902: Denial of Service mitigation subsystem
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  dgoulet
     Type:  enhancement                          |         Status:
                                                 |  needs_review
 Priority:  Very High                            |      Milestone:  Tor:
                                                 |  0.3.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ddos, tor-relay, review-group-30,    |  Actual Points:
  029-backport, 031-backport, 032-backport       |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arma):

 Replying to [comment:24 teor]:
 > * ignore ESTABLISH_RENDEZVOUS cells (min 15s)
 >
 > I think we should send back CREATED, and ignore the
 ESTABLISH_RENDEZVOUS, because that gets us a guaranteed minimum 15 second
 timeout.

 Agreed. That's what I've been doing on my hacked-up relay:
 {{{
 @@ -249,6 +251,14 @@ rend_mid_establish_rendezvous(or_circuit_t *circ,
 const uint8_t *request,
      goto err;
    }

 +  if (channel_is_client(circ->p_chan)) {
 +    log_info(LD_REND,
 +      "DEFENSE: dropped ESTABLISH_RENDEZVOUS on circuit %u, prev IP %s",
 +      (unsigned)circ->p_circ_id,
 +      channel_get_actual_remote_descr(circ->p_chan));
 +    return 0; // quietly drop it, and let it time out
 +  }
 +
    /* Acknowledge the request. */
    if (relay_send_command_from_edge(0,TO_CIRCUIT(circ),
                                     RELAY_COMMAND_RENDEZVOUS_ESTABLISHED,
 }}}
 and I think it's a good choice here too.

 > We could increase the cbtmintimeout consensus parameter to a really high
 value. (Which seemed to work well on my relays.) But the client's timeout
 would only stay high if almost all relays delayed almost all circuits
 created by these clients.

 No, I think the only way to get a higher timeout for establish-rendezvous
 attempts is if the user manually set their options->CircuitStreamTimeout.
 The code as you say is
 {{{
   /* CIRCUIT_PURPOSE_C_ESTABLISH_REND behaves more like a RELAY cell.
    * Use the stream cutoff (more or less). */
   SET_CUTOFF(stream_cutoff, MAX(options->CircuitStreamTimeout,15)*1000 +
 1000);
 }}}
 which does not reference get_circuit_build_timeout_ms(). :(

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24902#comment:29>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list