On Fri, Jul 14, 2023 at 01:32:55AM +0000, Mike Perry wrote:
Most the probing attacks against relays that we saw probed for resource exhaustion conditions, which we will address via those conditions themselves. We did get a report of at least one instance of the typical UDP reflection flood against a Tor relay, though. It was quite large, but we only heard this report from one relay operator (and there are several thousand relay operators).
Thanks for clarifying, Mike. This is the more-generic class of attack against which the DOTS standard would be most useful---which means it probably won't be, for Tor relays, even apart from your caveat below.
It is unlikely for us to get directly involved in IP address blacklist or IP address reputation games. Tor user experience is significantly degraded by these systems. While we are trying to pitch funding proposals to improve Tor exit IP address reputation, subjecting our user IP addresses to these systems seems anathema and unlikely.
Understood. Were this method to be effective, would you extend this objection even to coordinated *short-term* (requested/cancellable) mitigation, in contrast to a cumulative, long-lived reputation scheme?
In general, we vastly prefer cryptographic rate limiting approaches, or deterrents like our pow system[1], over blacklist-based approaches.
Now, if there were ideas being kicked around to cryptographically blind this data such that IP addresses were not revealed to anyone until they appear in multiple DoS event logs, that might be of interest.
Interesting! I will look into this approach as a possible extension of the DOTS standard. Thanks for the suggestion.
--- cfm.