juanjo juanjo@avanix.es writes:
-------- Forwarded Message -------- Subject: Re: [tor-dev] Onion Service - Intropoint DoS Defenses Date: Thu, 4 Jul 2019 20:38:48 +0200 From: juanjo juanjo@avanix.es To: David Goulet dgoulet@torproject.org
These experiments and final note confirm what I thought about this rate limiting feature from the start: it is missing important parts. Ok, you can protect the network a little and the HS, but the general availability is not affected so it actually does not help for that.
I wanna make a proposal including many things at the same time, but I don't have much time to follow the guidelines to make a official proposal. Maybe in some weeks?
Hello!
Ideally I would make one proposal for each of the things you care about. Doing one huge proposal with all the things will make it less likely for things to be done, since someone will disagree about one small part of the proposal, and it will block the whole proposal altogether.
Again, I repeat: things that should be done now:
-Authenticated rend signature. This would help a lot I think.
Current attacks do not spoof rendezvous points, they actually do make the circuits, so I don't think that would help a whole lot. Still future attacks might, so I agree this is worth doing (#25066 needs more thinking and a proposal).
-Mid-term: PoW for the client when reaching the 305prop limit instead of denying access? IDK, all always configurable.
Plausible.
-Deprecate clients or allow the Hidden Service to configure the IP to allow access for old version clients (not supporting new antiDoS features) or not. If we allow old version without protections, all security measures are useless.
Plausibl-ish.
And just a new idea: what about make the rotation of IP dynamic based on this prop305 values? + time based rotation: One of the goal for rotation was defending against correlation attacks: if we set a lower limit we have a potential DoS (right now), if we set it high we have a potential correlation attack, bigger surface. What about we join time based rotation (ex. 24 hours) + or limit reached based on the prop305 values.
Please see #26294 which is about to be merged upstream and will remove some more useless parameters from intro point rotation. After #26294, intro points will only rotate based on time.
What is the correlation attack you are worrying about? And why do you think that rotating more frequently will make it safer? Usually rotating less frequently helps against attacks by ensuring that it's less likely to cycle into bad nodes.
Cheers! :)