[tor-talk] Massive Bandwidth Onion Services

Alec Muffett alec.muffett at gmail.com
Mon Dec 19 10:30:16 UTC 2016


I would post this to the tor-onions list, but it might be more generally
interesting to folk, so I'm posting here and will shift it if it gets too
technical.


I'm working on load-balanced, high-availability Tor deployment
architectures, and on that basis I am running 72 tor daemons on a cluster
of 6 quad-core Debian boxes.

I am then - using Donncha's "OnionBalance" to:

* scrape the descriptors of those 72 daemons

* selects random(ish) 60 of the introduction points from those daemons, and

* rebundle those 60 introduction points into 6 distinct descriptors of 10
introduction points apiece, then

* signing those distinct descriptors with a "service" onion address and
emplacing them onto the HSDir ring.


This means that, at any one time, the daemon will be able to have 60x the
CPU and network-bus bandwidth, above/beyond what is available to a typical
single-daemon instance.

Why "72"? Because it's a number >60 and I'm seeking to stress-test things a
little.

Specifically: one eventual goal of this project is to adjust the timings a
little, so that the HSDir cache acts a little like "Round-Robin DNS Load
Balancing" - people accessing the "service" onion address at lunchtime will
receive/cache different descriptors from those who access it some hours
later, and the descriptors persist, so thereby the whole 72 daemons get
used/averaged-out over an entire day.

In my attempts to go fast-and-wide, however, I appear to have run into a
hardcoded limit:

    Dec 19 09:24:43.365 [warn] HiddenServiceNumIntroductionPoints should be
between 3 and 10, not 1

There's little point in publishing >2, and perhaps* not >1 introduction
point for each of the 72 daemons; also it makes scraping and reassembly
slower/more expensive.

So I am writing to ask whether it is possible (and whether it is wise?) to
have a mode that will bypass this (otherwise very sensible) control?

    -alec



* it would be rude to an IP to have only a single-IP-per-daemon that was
invariant over a long period, but I believe that IPs migrate over time
anyway... ?

-- 
http://dropsafe.crypticide.com/aboutalecm


More information about the tor-talk mailing list