Opened 5 years ago

Closed 5 years ago

#14084 closed defect (fixed)

Configuration option for anti-hs-portscanning

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-hs nickm-patch
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

#13667 introduced a feature to close HS circuits open receiving a BEGIN cell to a nonexistent port.

Some people think this feature is stupid.

Okay, let's add an option so they can turn it off.

Child Tickets

Change History (7)

comment:1 Changed 5 years ago by nickm

Summary: Configuration optionConfiguration option for anti-hs-portscanning

comment:2 Changed 5 years ago by nickm

Keywords: nickm-patch added
Status: newneeds_review

See branch 'bug14084'. Needs review.

comment:3 Changed 5 years ago by dgoulet

I wonder if this is a bit too much technical for users:

[[HiddenServiceAllowUnknownPorts]] **HiddenServiceAllowUnknownPorts** **0**|**1**::
   If set to 1, then connections to unrecognized ports do not cause the
   current hidden service to close rendezvous circuits. (Default: 0)

What is a "rendezvous circuit"? What that entails for the user to set it or not? Should we mention that it's primarly there to make port scanning harder on the attacker side (which is it really?). Why would someone set it to 1, to avoid bunch of circuit being built?

The patch is ok for me. I'm no big fan of multiple error code but I don't see any simpler way here unless an extra param is given and set if the circuit should be close.

comment:4 in reply to:  3 Changed 5 years ago by qwerty1

Replying to dgoulet:

I wonder if this is a bit too much technical for users:

[[HiddenServiceAllowUnknownPorts]] **HiddenServiceAllowUnknownPorts** **0**|**1**::
   If set to 1, then connections to unrecognized ports do not cause the
   current hidden service to close rendezvous circuits. (Default: 0)

What is a "rendezvous circuit"?

The manual mentions technical terms (including rendezvous circuits) several times already, with no ill effects so far.

What that entails for the user to set it or not? Should we mention that it's primarly there to make port scanning harder on the attacker side (which is it really?)

Describing it in those terms encourages users to place their trust in 216 security through obscure ports, and ignores the already existing solution: HS client authorization.

The only thing I would change about this patch is I think it should be set to 1 by default.

comment:5 Changed 5 years ago by nickm

Keywords: andrea-review added

comment:6 Changed 5 years ago by andrea

Keywords: andrea-review removed

This patch looks fine to me, but I concur with qwerty1's comment that the description should emphasize that this is not a substitute for HS client auth.

comment:7 Changed 5 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Added, merged.

Note: See TracTickets for help on using tickets.