aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2007-03-12 13:04:20 +0000
committerNick Mathewson <nickm@torproject.org>2007-03-12 13:04:20 +0000
commita70be61dd51506755184374cd6b3c78c45296d8f (patch)
tree1b6deb7901949d8a59e23a2cfb78495815be5416
parentf4913b4070ffc151d5f0b1ac0da98f50c0c9c538 (diff)
downloadtor-a70be61dd51506755184374cd6b3c78c45296d8f.tar.gz
tor-a70be61dd51506755184374cd6b3c78c45296d8f.zip
r12154@catbus: nickm | 2007-03-11 23:20:58 -0400
Add "sybil-checking.txt" as "109-no-sharing-ips.txt" svn:r9805
-rw-r--r--doc/spec/proposals/000-index.txt1
-rw-r--r--doc/spec/proposals/109-no-sharing-ips.txt77
2 files changed, 78 insertions, 0 deletions
diff --git a/doc/spec/proposals/000-index.txt b/doc/spec/proposals/000-index.txt
index c08bacac30..93d5d0ab1a 100644
--- a/doc/spec/proposals/000-index.txt
+++ b/doc/spec/proposals/000-index.txt
@@ -27,3 +27,4 @@ Proposals by number:
106 Checking fewer things during TLS handshakes [CLOSED]
107 Uptime Sanity Checking [CLOSED]
108 Base "Stable" Flag on Mean Time Between Failures [OPEN]
+109 No more than one server per IP address [OPEN] \ No newline at end of file
diff --git a/doc/spec/proposals/109-no-sharing-ips.txt b/doc/spec/proposals/109-no-sharing-ips.txt
new file mode 100644
index 0000000000..d1177bf58c
--- /dev/null
+++ b/doc/spec/proposals/109-no-sharing-ips.txt
@@ -0,0 +1,77 @@
+Filename: 109-no-sharing-ips.txt
+Title: No more than one server per IP address.
+Version:
+Last-Modified:
+Author: Kevin Bauer & Damon McCoy
+Created: 9-March-2007
+Status: Open
+
+Overview:
+ This document describes a solution to a Sybil attack vulnerability in the
+ directory servers. Currently, it is possible for a single IP address to
+ host an arbitrarily high number of Tor routers. We propose that the
+ directory servers limit the number of Tor routers that may be registered at
+ a particular IP address to some small (fixed) number, perhaps just one Tor
+ router per IP address.
+
+ While Tor never uses more than one server from a given /16 in the same
+ circuit, an attacker with multiple servers in the same place is still
+ dangerous because he can get around the per-server bandwidth cap that is
+ designed to prevent a single server from attracting too much of the overall
+ traffic.
+
+Motivation:
+ Since it is possible for an attacker to register an arbitrarily large
+ number of Tor routers, it is possible for malicious parties to do this to
+ as part of a traffic analysis attack.
+
+Security implications:
+ This countermeasure will increase the number of IP addresses that an
+ attacker must control in order to carry out traffic analysis.
+
+Specification:
+ We propose that the directory servers check if an incoming Tor router IP
+ address is already registered under another router. If this is the case,
+ then prevent this router from joining the network.
+
+Compatibility:
+
+ Upon inspection of a directory server, we found that the following IP
+ addresses have more than one Tor router:
+
+ Scruples 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 443
+ WiseUp 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 9001
+ Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
+ Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
+ Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
+ aurel 85.180.62.138 e180062138.adsl.alicedsl.de 9001
+ sokrates 85.180.62.138 e180062138.adsl.alicedsl.de 9001
+ moria1 18.244.0.188 moria.mit.edu 9001
+ peacetime 18.244.0.188 moria.mit.edu 9100
+
+ There may exist compatibility issues with this proposed fix. Reasons why
+ more than one server would share an IP address include:
+
+ * Testing. moria1, moria2, peacetime, and other morias all run on one
+ computer at MIT, because that way we get testing. Moria1 and moria2 are
+ run by Roger, and peacetime is run by Nick.
+ * NAT. If there are several servers but they port-forward through the same
+ IP address, ... we can hope that the operators coordinate with each
+ other. Also, we should recognize that while they help the network in
+ terms of increased capacity, they don't help as much as they could in
+ terms of location diversity. But our approach so far has been to take
+ what we can get.
+ * People who have more than 1.5MB/s and want to help out more. For
+ example, for a while Tonga was offering 10MB/s and its Tor server
+ would only make use of a bit of it. So Roger suggested that he run
+ two Tor servers, to use more.
+
+Alternatives:
+
+ Roger suggested that instead of capping number of servers per IP to 1, we
+ should cap total declared bandwidth per IP to some N, and total declared
+ servers to some M. (He suggested N=5MB/s and M=5.)
+
+ Roger also suggested that rather than not listing servers, we mark them as
+ not Valid.
+