aboutsummaryrefslogtreecommitdiff
path: root/dir-spec.txt
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2018-02-13 09:44:07 -0500
committerNick Mathewson <nickm@torproject.org>2018-03-03 11:55:04 -0500
commited14d85d57cdcf0742040a57e9f0a75f69567482 (patch)
treeec146afaf4a30db6e1e3cb5b44f61f2a5e97f3b8 /dir-spec.txt
parentef91cd6a595128847c991eb875d105b850d60fcf (diff)
downloadtorspec-ed14d85d57cdcf0742040a57e9f0a75f69567482.tar.gz
torspec-ed14d85d57cdcf0742040a57e9f0a75f69567482.zip
tor-spec: Document DoS mitigation consensus param
Closes #25095 Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'dir-spec.txt')
-rw-r--r--dir-spec.txt41
1 files changed, 41 insertions, 0 deletions
diff --git a/dir-spec.txt b/dir-spec.txt
index ece2991..bcfa62c 100644
--- a/dir-spec.txt
+++ b/dir-spec.txt
@@ -1995,6 +1995,47 @@
Min 1. Max 10. Default 2.
First-appeared: 0.3.3.0-alpha.
+ Denial of Service mitigation parameters. Introduced in 0.3.3.2-alpha:
+
+ "DoSCircuitCreationEnabled" -- Enable the circuit creation DoS
+ mitigation.
+
+ "DoSCircuitCreationMinConnections" -- Minimum threshold of concurrent
+ connections before a client address can be flagged as executing a
+ circuit creation DoS
+
+ "DoSCircuitCreationRate" -- Allowed circuit creation rate per second
+ per client IP address once the minimum concurrent connection
+ threshold is reached.
+
+ "DoSCircuitCreationBurst" -- The allowed circuit creation burst per
+ client IP address once the minimum concurrent connection threshold is
+ reached.
+
+ "DoSCircuitCreationDefenseType" -- Defense type applied to a detected
+ client address for the circuit creation mitigation.
+
+ 1: No defense.
+ 2: Refuse circuit creation for the
+ DoSCircuitCreationDefenseTimePeriod period.
+
+ "DoSCircuitCreationDefenseTimePeriod" -- The base time period that
+ the DoS defense is activated for.
+
+ "DoSConnectionEnabled" -- Enable the connection DoS mitigation.
+
+ "DoSConnectionMaxConcurrentCount" -- The maximum threshold of
+ concurrent connection from a client IP address.
+
+ "DoSConnectionDefenseType" -- Defense type applied to a detected
+ client address for the connection mitigation. Possible values are:
+
+ 1: No defense.
+ 2: Immediately close new connections.
+
+ "DoSRefuseSingleHopClientRendezvous" -- Refuse establishment of
+ rendezvous points for single hop clients.
+
"shared-rand-previous-value" SP NumReveals SP Value NL
[At most once]