diff options
author | Nick Mathewson <nickm@torproject.org> | 2015-10-29 12:23:41 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2015-10-29 12:23:41 -0400 |
commit | 64d80bb5ca66a264c64e2e40c2dc52c3f64d89cb (patch) | |
tree | b0ae20cca3f0ed01ada0732daf2f42a80b5f8918 /proposals/258-dirauth-dos.txt | |
parent | d1eb16cf35113b3ef87bb01298c6cb510f7a1604 (diff) | |
download | torspec-64d80bb5ca66a264c64e2e40c2dc52c3f64d89cb.tar.gz torspec-64d80bb5ca66a264c64e2e40c2dc52c3f64d89cb.zip |
Reformat 258.
Diffstat (limited to 'proposals/258-dirauth-dos.txt')
-rw-r--r-- | proposals/258-dirauth-dos.txt | 207 |
1 files changed, 111 insertions, 96 deletions
diff --git a/proposals/258-dirauth-dos.txt b/proposals/258-dirauth-dos.txt index 28a0e9a..966a094 100644 --- a/proposals/258-dirauth-dos.txt +++ b/proposals/258-dirauth-dos.txt @@ -1,96 +1,111 @@ -Filename: 258-dirauth-dos.txt
-Title: Denial-of-service resistance for directory authorities
-Author: Andrea Shepard
-Created: 2015-10-27
-Status: Open
-
-1. Problem statement
-
- The directory authorities are few in number and vital for the functioning
- of the Tor network; threats of denial of service attacks against them have
- occurred in the past. They should be more resistant to unreasonably large
- connection volumes.
-
-2. Design overview
-
- There are two possible ways a new connection to a directory authority can
- be established, directly by a TCP connection to the DirPort, or tunneled
- inside a Tor circuit and initiated with a begindir cell. The client can
- originate the former as direct connections or from a Tor exit, and the
- latter either as fully anonymized circuits or one-hop links to the
- dirauth's ORPort.
-
- The dirauth will try to heuristically classify incoming requests as one of
- these four indirection types, and then in the two non-anonymized cases
- further sort them into hash buckets on the basis of source IP. It will use
- an exponentially-weighted moving average to measure the rate of connection
- attempts in each bucket, and also separately limit the number of begindir
- cells permitted on each circuit. It will periodically scan the hash tables
- and forget counters which have fallen below a threshold to prevent memory
- exhaustion.
-
-3. Classification of incoming connections
-
- Clients can originate connections as one of four indirection types:
-
- - DIRIND_ONEHOP: begindir cell on a single-hop Tor circuit
- - DIRIND_ANONYMOUS: begindir cell on a fully anonymized Tor circuit
- - DIRIND_DIRECT_CONN: direct TCP connection to dirport
- - DIRIND_ANON_DIRPORT: TCP connection to dirport from an exit relay
-
- The directory authority can always tell a dirport connection from a
- begindir, but it must use its knowledge of the current consensus and
- exit policies to disambiguate whether the connection is anonymized.
-
- It should treat a begindir as DIRIND_ANONYMOUS when the previous hop
- in the circuit it appears on is in the current consensus, and as
- DIRIND_ONEHOP otherwise; it should treat a dirport connection as
- DIRIND_ANON_DIRPORT if the source address appears in the consensus
- and allows exits to the dirport in question, or as DIRIND_DIRECT_CONN
- otherwise. In the case of relays which also act as clients, these
- heuristics may falsely classify direct/onehop connections as anonymous,
- but will never falsely classify anonymous connections as direct/onehop.
-
-4. Exponentially-weighted moving average counters and hash table
-
- The directory authority implements a set of exponentially-weighted moving
- averages to measure the rate of incoming connections in each bucket. The
- two anonymous connection types are each a single bucket, but the two non-
- anonymous cases get a single bucket per source IP each, stored in a hash
- table. The directory authority must periodically scan this hash table for
- counters which have decayed close to zero and free them to avoid permitting
- memory exhaustion.
-
- This introduces five new configuration parameters:
-
- - DirDoSFilterEWMATimeConstant: the time for an EWMA counter to decay by a
- factor of 1/e, in seconds.
- - DirDoSFilterMaxAnonConnectRate: the threshold to trigger the DoS filter
- on DIRIND_ANONYMOUS connections.
- - DirDoSFilterMaxAnonDirportConnectRate: the threshold to trigger the DoS
- filter on DIRIND_ANON_DIRPORT connections.
- - DirDoSFilterMaxBegindirRatePerIP: the threshold per source IP to trigger
- the DoS filter on DIRIND_ONEHOP connections.
- - DirDoSFilterMaxDirectConnRatePerIP: the threshold per source IP to
- trigger the DoS filter on DIRIND_DIRECT_CONN connections.
-
- When incrementing a counter would put it over the relevant threshold, the
- filter is said to be triggered. In this case, the directory authority does
- not update the counter, but instead suppresses the incoming request. In
- the DIRIND_ONEHOP and DIRIND_ANONYMOUS cases, the directory authority must
- kill the circuit rather than merely refusing the request, to prevent
- an unending stream of client retries on the same circuit.
-
-5. Begindir cap
-
- Directory authorities limit the number of begindir cells permitted in the
- lifetime of a particular circuit, separately from the EWMA counters. This
- can only affect the DIRIND_ANONYMOUS and DIRIND_ONEHOP connetion types.
- A sixth configuration variable, DirDoSFilterMaxBegindirPerCircuit, controls
- this feature.
-
-6. Limitations
-
- Widely distributed DoS attacks with many source IPs may still be able to
- avoid raising any single DIRIND_ONEHOP or DIRIND_DIRECT_CONN counter above
- threshold.
+Filename: 258-dirauth-dos.txt +Title: Denial-of-service resistance for directory authorities +Author: Andrea Shepard +Created: 2015-10-27 +Status: Open + +1. Problem statement + + The directory authorities are few in number and vital for the + functioning of the Tor network; threats of denial of service + attacks against them have occurred in the past. They should be + more resistant to unreasonably large connection volumes. + +2. Design overview + + There are two possible ways a new connection to a directory + authority can be established, directly by a TCP connection to the + DirPort, or tunneled inside a Tor circuit and initiated with a + begindir cell. The client can originate the former as direct + connections or from a Tor exit, and the latter either as fully + anonymized circuits or one-hop links to the dirauth's ORPort. + + The dirauth will try to heuristically classify incoming requests + as one of these four indirection types, and then in the two + non-anonymized cases further sort them into hash buckets on the + basis of source IP. It will use an exponentially-weighted moving + average to measure the rate of connection attempts in each + bucket, and also separately limit the number of begindir cells + permitted on each circuit. It will periodically scan the hash + tables and forget counters which have fallen below a threshold to + prevent memory exhaustion. + +3. Classification of incoming connections + + Clients can originate connections as one of four indirection + types: + + + - DIRIND_ONEHOP: begindir cell on a single-hop Tor circuit + - DIRIND_ANONYMOUS: begindir cell on a fully anonymized Tor + circuit + - DIRIND_DIRECT_CONN: direct TCP connection to dirport + - DIRIND_ANON_DIRPORT: TCP connection to dirport from an exit + relay + + The directory authority can always tell a dirport connection from + a begindir, but it must use its knowledge of the current + consensus and exit policies to disambiguate whether the + connection is anonymized. + + It should treat a begindir as DIRIND_ANONYMOUS when the previous + hop in the circuit it appears on is in the current consensus, and + as DIRIND_ONEHOP otherwise; it should treat a dirport connection + as DIRIND_ANON_DIRPORT if the source address appears in the + consensus and allows exits to the dirport in question, or as + DIRIND_DIRECT_CONN otherwise. In the case of relays which also + act as clients, these heuristics may falsely classify + direct/onehop connections as anonymous, but will never falsely + classify anonymous connections as direct/onehop. + +4. Exponentially-weighted moving average counters and hash table + + The directory authority implements a set of + exponentially-weighted moving averages to measure the rate of + incoming connections in each bucket. The two anonymous + connection types are each a single bucket, but the two non- + anonymous cases get a single bucket per source IP each, stored in + a hash table. The directory authority must periodically scan + this hash table for counters which have decayed close to zero and + free them to avoid permitting memory exhaustion. + + This introduces five new configuration parameters: + + - DirDoSFilterEWMATimeConstant: the time for an EWMA counter to + decay by a factor of 1/e, in seconds. + + - DirDoSFilterMaxAnonConnectRate: the threshold to trigger the + DoS filter on DIRIND_ANONYMOUS connections. + + - DirDoSFilterMaxAnonDirportConnectRate: the threshold to + trigger the DoS filter on DIRIND_ANON_DIRPORT connections. + + - DirDoSFilterMaxBegindirRatePerIP: the threshold per source IP + to trigger the DoS filter on DIRIND_ONEHOP connections. + + - DirDoSFilterMaxDirectConnRatePerIP: the threshold per source + IP to trigger the DoS filter on DIRIND_DIRECT_CONN + connections. + + When incrementing a counter would put it over the relevant + threshold, the filter is said to be triggered. In this case, the + directory authority does not update the counter, but instead + suppresses the incoming request. In the DIRIND_ONEHOP and + DIRIND_ANONYMOUS cases, the directory authority must kill the + circuit rather than merely refusing the request, to prevent an + unending stream of client retries on the same circuit. + +5. Begindir cap + + Directory authorities limit the number of begindir cells + permitted in the lifetime of a particular circuit, separately + from the EWMA counters. This can only affect the + DIRIND_ANONYMOUS and DIRIND_ONEHOP connetion types. A sixth + configuration variable, DirDoSFilterMaxBegindirPerCircuit, + controls this feature. + +6. Limitations + + Widely distributed DoS attacks with many source IPs may still be + able to avoid raising any single DIRIND_ONEHOP or + DIRIND_DIRECT_CONN counter above threshold. |