At 12:01 8/12/2016 -0400, Zack Weinberg wrote:
Also, if you read the paper, raising the global rate limit (as suggested by the reg. article) doesn't help; it only slows the attacker down a little.
The paper indicates that a global counter limit other than 100 can be easily discovered. However the recommended mitigation effectively removes the global counter by setting it to 10^9. The described attack requires the counter be exhausted inside the temporal bounds of one second and the Internet as it exists today cannot support 10^9 probes on that deadline.
IMO the recommended mitigation is effective and should be applied by those believing RFC-5961-as-presently- implemented changes worse than the weaknesses addressed by the RFC. I applied the mitigation.
starlight.2016q3@binnacle.cx transcribed 1.2K bytes:
At 12:01 8/12/2016 -0400, Zack Weinberg wrote:
Also, if you read the paper, raising the global rate limit (as suggested by the reg. article) doesn't help; it only slows the attacker down a little.
The paper indicates that a global counter limit other than 100 can be easily discovered. However the recommended mitigation effectively removes the global counter by setting it to 10^9. The described attack requires the counter be exhausted inside the temporal bounds of one second and the Internet as it exists today cannot support 10^9 probes on that deadline.
IMO the recommended mitigation is effective and should be applied by those believing RFC-5961-as-presently- implemented changes worse than the weaknesses addressed by the RFC. I applied the mitigation.
Hello,
Apparently, my last email to the list went to your spam folder. Please allow me to repeat myself:
isis agora lovecruft transcribed 4.5K bytes:
The accepted patch [1] solves the issue, and does so by randomising the time window that the global variable applies to.
Best regards,
tor-relays@lists.torproject.org
-
isis agora lovecruft -
starlight.2016q3@binnacle.cx