[tor-commits] [torspec/master] Proposal 258: Denial-of-service resistance for directory authorities
nickm at torproject.org
nickm at torproject.org
Thu Oct 29 16:23:46 UTC 2015
commit d1eb16cf35113b3ef87bb01298c6cb510f7a1604
Author: Nick Mathewson <nickm at torproject.org>
Date: Thu Oct 29 11:56:50 2015 -0400
Proposal 258: Denial-of-service resistance for directory authorities
---
proposals/000-index.txt | 2 +
proposals/258-dirauth-dos.txt | 96 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 98 insertions(+)
diff --git a/proposals/000-index.txt b/proposals/000-index.txt
index c5fabc9..0add538 100644
--- a/proposals/000-index.txt
+++ b/proposals/000-index.txt
@@ -178,6 +178,7 @@ Proposals by number:
255 Controller features to allow for load-balancing hidden services [DRAFT]
256 Key revocation for relays and authorities [OPEN]
257 Refactoring authorities and taking parts offline [DRAFT]
+258 Denial-of-service resistance for directory authorities [OPEN]
Proposals by status:
@@ -228,6 +229,7 @@ Proposals by status:
242 Better performance and usability for the MyFamily option
246 Merging Hidden Service Directories and Introduction Points
256 Key revocation for relays and authorities
+ 258 Denial-of-service resistance for directory authorities
ACCEPTED:
140 Provide diffs between consensuses
172 GETINFO controller option for circuit information
diff --git a/proposals/258-dirauth-dos.txt b/proposals/258-dirauth-dos.txt
new file mode 100644
index 0000000..28a0e9a
--- /dev/null
+++ b/proposals/258-dirauth-dos.txt
@@ -0,0 +1,96 @@
+Filename: 258-dirauth-dos.txt
+Title: Denial-of-service resistance for directory authorities
+Author: Andrea Shepard
+Created: 2015-10-27
+Status: Open
+
+1. Problem statement
+
+ The directory authorities are few in number and vital for the functioning
+ of the Tor network; threats of denial of service attacks against them have
+ occurred in the past. They should be more resistant to unreasonably large
+ connection volumes.
+
+2. Design overview
+
+ There are two possible ways a new connection to a directory authority can
+ be established, directly by a TCP connection to the DirPort, or tunneled
+ inside a Tor circuit and initiated with a begindir cell. The client can
+ originate the former as direct connections or from a Tor exit, and the
+ latter either as fully anonymized circuits or one-hop links to the
+ dirauth's ORPort.
+
+ The dirauth will try to heuristically classify incoming requests as one of
+ these four indirection types, and then in the two non-anonymized cases
+ further sort them into hash buckets on the basis of source IP. It will use
+ an exponentially-weighted moving average to measure the rate of connection
+ attempts in each bucket, and also separately limit the number of begindir
+ cells permitted on each circuit. It will periodically scan the hash tables
+ and forget counters which have fallen below a threshold to prevent memory
+ exhaustion.
+
+3. Classification of incoming connections
+
+ Clients can originate connections as one of four indirection types:
+
+ - DIRIND_ONEHOP: begindir cell on a single-hop Tor circuit
+ - DIRIND_ANONYMOUS: begindir cell on a fully anonymized Tor circuit
+ - DIRIND_DIRECT_CONN: direct TCP connection to dirport
+ - DIRIND_ANON_DIRPORT: TCP connection to dirport from an exit relay
+
+ The directory authority can always tell a dirport connection from a
+ begindir, but it must use its knowledge of the current consensus and
+ exit policies to disambiguate whether the connection is anonymized.
+
+ It should treat a begindir as DIRIND_ANONYMOUS when the previous hop
+ in the circuit it appears on is in the current consensus, and as
+ DIRIND_ONEHOP otherwise; it should treat a dirport connection as
+ DIRIND_ANON_DIRPORT if the source address appears in the consensus
+ and allows exits to the dirport in question, or as DIRIND_DIRECT_CONN
+ otherwise. In the case of relays which also act as clients, these
+ heuristics may falsely classify direct/onehop connections as anonymous,
+ but will never falsely classify anonymous connections as direct/onehop.
+
+4. Exponentially-weighted moving average counters and hash table
+
+ The directory authority implements a set of exponentially-weighted moving
+ averages to measure the rate of incoming connections in each bucket. The
+ two anonymous connection types are each a single bucket, but the two non-
+ anonymous cases get a single bucket per source IP each, stored in a hash
+ table. The directory authority must periodically scan this hash table for
+ counters which have decayed close to zero and free them to avoid permitting
+ memory exhaustion.
+
+ This introduces five new configuration parameters:
+
+ - DirDoSFilterEWMATimeConstant: the time for an EWMA counter to decay by a
+ factor of 1/e, in seconds.
+ - DirDoSFilterMaxAnonConnectRate: the threshold to trigger the DoS filter
+ on DIRIND_ANONYMOUS connections.
+ - DirDoSFilterMaxAnonDirportConnectRate: the threshold to trigger the DoS
+ filter on DIRIND_ANON_DIRPORT connections.
+ - DirDoSFilterMaxBegindirRatePerIP: the threshold per source IP to trigger
+ the DoS filter on DIRIND_ONEHOP connections.
+ - DirDoSFilterMaxDirectConnRatePerIP: the threshold per source IP to
+ trigger the DoS filter on DIRIND_DIRECT_CONN connections.
+
+ When incrementing a counter would put it over the relevant threshold, the
+ filter is said to be triggered. In this case, the directory authority does
+ not update the counter, but instead suppresses the incoming request. In
+ the DIRIND_ONEHOP and DIRIND_ANONYMOUS cases, the directory authority must
+ kill the circuit rather than merely refusing the request, to prevent
+ an unending stream of client retries on the same circuit.
+
+5. Begindir cap
+
+ Directory authorities limit the number of begindir cells permitted in the
+ lifetime of a particular circuit, separately from the EWMA counters. This
+ can only affect the DIRIND_ANONYMOUS and DIRIND_ONEHOP connetion types.
+ A sixth configuration variable, DirDoSFilterMaxBegindirPerCircuit, controls
+ this feature.
+
+6. Limitations
+
+ Widely distributed DoS attacks with many source IPs may still be able to
+ avoid raising any single DIRIND_ONEHOP or DIRIND_DIRECT_CONN counter above
+ threshold.
More information about the tor-commits
mailing list