[tor-bugs] #33156 [Core Tor/Tor]: DoS subsystem should compare IPv6 /64
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Feb 5 03:37:39 UTC 2020
#33156: DoS subsystem should compare IPv6 /64
-------------------------+-------------------------------------------------
Reporter: teor | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: unspecified
Component: Core | Version:
Tor/Tor | Keywords: security-?, tor-relay, tor-dirauth,
Severity: Normal | dos
Actual Points: | Parent ID:
Points: 2 | Reviewer:
Sponsor: |
-------------------------+-------------------------------------------------
s7r writes:
> Our internal DoS defense subsystem should also treat prefixes instead of
> addresses, because right now with a client with a /64 public IPv6 prefix
> assigned to it I could hammer via IPv6 guards without triggering the DoS
> defense.
https://lists.torproject.org/pipermail/tor-dev/2020-February/014144.html
We could make this change by:
* only putting the first /64 of each IPv6 address in the filter list, and
* only checking the first /64 of each new IPv6 connection
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33156>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list