[tor-bugs] #15516 [Core Tor/Tor]: Consider rate-limiting INTRODUCE2 cells when under load
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Apr 29 18:26:09 UTC 2019
#15516: Consider rate-limiting INTRODUCE2 cells when under load
-------------------------------------------------+-------------------------
Reporter: special | Owner: (none)
Type: enhancement | Status: new
Priority: Medium | Milestone: Tor:
| unspecified
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: SponsorU-deferred, tor-dos, tor-hs, | Actual Points:
network-team-roadmap-2019-Q1Q2 |
Parent ID: #29999 | Points: 10
Reviewer: | Sponsor:
| Sponsor27-can
-------------------------------------------------+-------------------------
Comment (by arma):
Replying to [comment:2 arma]:
> I'd actually like to some exploration of initial throttling or dropping
or queueing at the intro point as well. That was originally meant to be
the first line of defense here.
Here's my concrete proposal on this one: the intro point should see if the
package window for the intro circuit is empty, and if so, it should nack
the intro1 cell. That way there are at most 1000 intro2 cells in flight at
once from that intro point.
This design is reasonable because it takes a long while for an onion
service to process 1000 intro2 cells, so if we queue later ones and send
them 'eventually', they're going to arrive much later, and the client will
likely have timed out and moved on from that rendezvous point. So we're
not harming legitimate clients who end up in this situation, because the
current behavior is already harming them plenty.
The benefits are that (a) the onion service doesn't receive the excess
intro2 cells that it wasn't going to be able to rendezvous with anyway,
(b) clients get a much faster feedback that things aren't going to work so
they can move to another intro point, and (c) when a DoS stops, the pain
stops soon after: there isn't a huge queue of waiting intro2 cells that
have to slowly drain, for no value.
We could imagine an extension on this idea, where the intro point silently
drops the excess intro1 cells, rather than explicitly nacking them. This
variant will force the client to time out rather than immediately try the
next intro point, thus slowing down attacks by clients that follow the
protocol. (Modified clients could still use a smaller timeout, or not even
care whether they get a response.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15516#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list