[tor-bugs] #27921 [Core Tor/Tor]: apparent DOS / impairment-of-service against FallbackDirs using DIR requests, please evaluate for possible mitigation

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 7 07:36:41 UTC 2018 

#27921: apparent DOS / impairment-of-service against FallbackDirs using DIR
requests, please evaluate for possible mitigation
--------------------------+------------------------------------
 Reporter:  starlight     |          Owner:  (none)
     Type:  enhancement   |         Status:  new
 Priority:  Medium        |      Milestone:  Tor: unspecified
Component:  Core Tor/Tor  |        Version:  Tor: 0.3.4.1-alpha
 Severity:  Normal        |     Resolution:
 Keywords:  tor-dos       |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------------

Comment (by starlight):

 Replying to [comment:11 teor]:
 > > perhaps they are simply causing trouble the way the circuit extend
 idiots were (same idiots, likely as not).  Requests all originate from
 direct attached clients, a pool of rotating IPs in South America an SE
 Asia--botnet if you ask me.
 >
 > Are they all in the same AS? Or a small set of ASes?
 > Are the ASes ISPs or VPS providers?

 Early this year the IPs were mostly in residential dynamic IP ranges in
 countries notorious for running ancient WinXP and/or pirated other Windows
 systems, also notorious for botnets due to the ease with which such
 systems are infected and kept in that state.  No particular ASs, just
 general regions with a residential profile.  Some IPs on the CBL, some
 not.  Smells like botnet-for hire.  A few dozen IPs per week in constant
 rotation.

 Certainly the same MO now, only difference is the upgrade from DIR to DIR-
 over-OR request path.  I ran the info logging scriptlet from earlier and
 observed the request pattern was identical, inspiring me to disable the
 target code path.

 > > . . .the connections serving the requests generally have back-pressure
 and standing send-Q bytes

 Possibly this is the point.  Maybe it biases KIST somehow and facilitates
 a subtle traffic analysis attack of some kind.

 > We already limit connections and circuits per IP address. Maybe we
 should limit directory requests as well.

 What I was thinking when opening this ticket ;-)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27921#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list