From 64d80bb5ca66a264c64e2e40c2dc52c3f64d89cb Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 29 Oct 2015 12:23:41 -0400 Subject: Reformat 258. --- proposals/258-dirauth-dos.txt | 207 ++++++++++++++++++++++-------------------- 1 file changed, 111 insertions(+), 96 deletions(-) (limited to 'proposals/258-dirauth-dos.txt') diff --git a/proposals/258-dirauth-dos.txt b/proposals/258-dirauth-dos.txt index 28a0e9a..966a094 100644 --- a/proposals/258-dirauth-dos.txt +++ b/proposals/258-dirauth-dos.txt @@ -1,96 +1,111 @@ -Filename: 258-dirauth-dos.txt -Title: Denial-of-service resistance for directory authorities -Author: Andrea Shepard -Created: 2015-10-27 -Status: Open - -1. Problem statement - - The directory authorities are few in number and vital for the functioning - of the Tor network; threats of denial of service attacks against them have - occurred in the past. They should be more resistant to unreasonably large - connection volumes. - -2. Design overview - - There are two possible ways a new connection to a directory authority can - be established, directly by a TCP connection to the DirPort, or tunneled - inside a Tor circuit and initiated with a begindir cell. The client can - originate the former as direct connections or from a Tor exit, and the - latter either as fully anonymized circuits or one-hop links to the - dirauth's ORPort. - - The dirauth will try to heuristically classify incoming requests as one of - these four indirection types, and then in the two non-anonymized cases - further sort them into hash buckets on the basis of source IP. It will use - an exponentially-weighted moving average to measure the rate of connection - attempts in each bucket, and also separately limit the number of begindir - cells permitted on each circuit. It will periodically scan the hash tables - and forget counters which have fallen below a threshold to prevent memory - exhaustion. - -3. Classification of incoming connections - - Clients can originate connections as one of four indirection types: - - - DIRIND_ONEHOP: begindir cell on a single-hop Tor circuit - - DIRIND_ANONYMOUS: begindir cell on a fully anonymized Tor circuit - - DIRIND_DIRECT_CONN: direct TCP connection to dirport - - DIRIND_ANON_DIRPORT: TCP connection to dirport from an exit relay - - The directory authority can always tell a dirport connection from a - begindir, but it must use its knowledge of the current consensus and - exit policies to disambiguate whether the connection is anonymized. - - It should treat a begindir as DIRIND_ANONYMOUS when the previous hop - in the circuit it appears on is in the current consensus, and as - DIRIND_ONEHOP otherwise; it should treat a dirport connection as - DIRIND_ANON_DIRPORT if the source address appears in the consensus - and allows exits to the dirport in question, or as DIRIND_DIRECT_CONN - otherwise. In the case of relays which also act as clients, these - heuristics may falsely classify direct/onehop connections as anonymous, - but will never falsely classify anonymous connections as direct/onehop. - -4. Exponentially-weighted moving average counters and hash table - - The directory authority implements a set of exponentially-weighted moving - averages to measure the rate of incoming connections in each bucket. The - two anonymous connection types are each a single bucket, but the two non- - anonymous cases get a single bucket per source IP each, stored in a hash - table. The directory authority must periodically scan this hash table for - counters which have decayed close to zero and free them to avoid permitting - memory exhaustion. - - This introduces five new configuration parameters: - - - DirDoSFilterEWMATimeConstant: the time for an EWMA counter to decay by a - factor of 1/e, in seconds. - - DirDoSFilterMaxAnonConnectRate: the threshold to trigger the DoS filter - on DIRIND_ANONYMOUS connections. - - DirDoSFilterMaxAnonDirportConnectRate: the threshold to trigger the DoS - filter on DIRIND_ANON_DIRPORT connections. - - DirDoSFilterMaxBegindirRatePerIP: the threshold per source IP to trigger - the DoS filter on DIRIND_ONEHOP connections. - - DirDoSFilterMaxDirectConnRatePerIP: the threshold per source IP to - trigger the DoS filter on DIRIND_DIRECT_CONN connections. - - When incrementing a counter would put it over the relevant threshold, the - filter is said to be triggered. In this case, the directory authority does - not update the counter, but instead suppresses the incoming request. In - the DIRIND_ONEHOP and DIRIND_ANONYMOUS cases, the directory authority must - kill the circuit rather than merely refusing the request, to prevent - an unending stream of client retries on the same circuit. - -5. Begindir cap - - Directory authorities limit the number of begindir cells permitted in the - lifetime of a particular circuit, separately from the EWMA counters. This - can only affect the DIRIND_ANONYMOUS and DIRIND_ONEHOP connetion types. - A sixth configuration variable, DirDoSFilterMaxBegindirPerCircuit, controls - this feature. - -6. Limitations - - Widely distributed DoS attacks with many source IPs may still be able to - avoid raising any single DIRIND_ONEHOP or DIRIND_DIRECT_CONN counter above - threshold. +Filename: 258-dirauth-dos.txt +Title: Denial-of-service resistance for directory authorities +Author: Andrea Shepard +Created: 2015-10-27 +Status: Open + +1. Problem statement + + The directory authorities are few in number and vital for the + functioning of the Tor network; threats of denial of service + attacks against them have occurred in the past. They should be + more resistant to unreasonably large connection volumes. + +2. Design overview + + There are two possible ways a new connection to a directory + authority can be established, directly by a TCP connection to the + DirPort, or tunneled inside a Tor circuit and initiated with a + begindir cell. The client can originate the former as direct + connections or from a Tor exit, and the latter either as fully + anonymized circuits or one-hop links to the dirauth's ORPort. + + The dirauth will try to heuristically classify incoming requests + as one of these four indirection types, and then in the two + non-anonymized cases further sort them into hash buckets on the + basis of source IP. It will use an exponentially-weighted moving + average to measure the rate of connection attempts in each + bucket, and also separately limit the number of begindir cells + permitted on each circuit. It will periodically scan the hash + tables and forget counters which have fallen below a threshold to + prevent memory exhaustion. + +3. Classification of incoming connections + + Clients can originate connections as one of four indirection + types: + + + - DIRIND_ONEHOP: begindir cell on a single-hop Tor circuit + - DIRIND_ANONYMOUS: begindir cell on a fully anonymized Tor + circuit + - DIRIND_DIRECT_CONN: direct TCP connection to dirport + - DIRIND_ANON_DIRPORT: TCP connection to dirport from an exit + relay + + The directory authority can always tell a dirport connection from + a begindir, but it must use its knowledge of the current + consensus and exit policies to disambiguate whether the + connection is anonymized. + + It should treat a begindir as DIRIND_ANONYMOUS when the previous + hop in the circuit it appears on is in the current consensus, and + as DIRIND_ONEHOP otherwise; it should treat a dirport connection + as DIRIND_ANON_DIRPORT if the source address appears in the + consensus and allows exits to the dirport in question, or as + DIRIND_DIRECT_CONN otherwise. In the case of relays which also + act as clients, these heuristics may falsely classify + direct/onehop connections as anonymous, but will never falsely + classify anonymous connections as direct/onehop. + +4. Exponentially-weighted moving average counters and hash table + + The directory authority implements a set of + exponentially-weighted moving averages to measure the rate of + incoming connections in each bucket. The two anonymous + connection types are each a single bucket, but the two non- + anonymous cases get a single bucket per source IP each, stored in + a hash table. The directory authority must periodically scan + this hash table for counters which have decayed close to zero and + free them to avoid permitting memory exhaustion. + + This introduces five new configuration parameters: + + - DirDoSFilterEWMATimeConstant: the time for an EWMA counter to + decay by a factor of 1/e, in seconds. + + - DirDoSFilterMaxAnonConnectRate: the threshold to trigger the + DoS filter on DIRIND_ANONYMOUS connections. + + - DirDoSFilterMaxAnonDirportConnectRate: the threshold to + trigger the DoS filter on DIRIND_ANON_DIRPORT connections. + + - DirDoSFilterMaxBegindirRatePerIP: the threshold per source IP + to trigger the DoS filter on DIRIND_ONEHOP connections. + + - DirDoSFilterMaxDirectConnRatePerIP: the threshold per source + IP to trigger the DoS filter on DIRIND_DIRECT_CONN + connections. + + When incrementing a counter would put it over the relevant + threshold, the filter is said to be triggered. In this case, the + directory authority does not update the counter, but instead + suppresses the incoming request. In the DIRIND_ONEHOP and + DIRIND_ANONYMOUS cases, the directory authority must kill the + circuit rather than merely refusing the request, to prevent an + unending stream of client retries on the same circuit. + +5. Begindir cap + + Directory authorities limit the number of begindir cells + permitted in the lifetime of a particular circuit, separately + from the EWMA counters. This can only affect the + DIRIND_ANONYMOUS and DIRIND_ONEHOP connetion types. A sixth + configuration variable, DirDoSFilterMaxBegindirPerCircuit, + controls this feature. + +6. Limitations + + Widely distributed DoS attacks with many source IPs may still be + able to avoid raising any single DIRIND_ONEHOP or + DIRIND_DIRECT_CONN counter above threshold. -- cgit v1.2.3-54-g00ecf