Opened 8 months ago

Last modified 3 months ago

#24298 new defect

Better handling of DoS attacks on onion services

Reported by: asn Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs, prop224, tor-dos, 034-triage-20180328, 034-removed-20180328
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor: SponsorV

Description

We have received various reports on attackers being able to DoS onion services in various ways. Examples:

a) Layer-7 attacks where the attacker spams HTTP requests: https://www.hackerfactor.com/blog/index.php?/archives/777-Stopping-Tor-Attacks.html
b) DoS through the Tor protocol (intense circuit construction #16052m #15515).

We should come up with designs and plans on how to mitigate those DoS attacks better in the future.

Due to the anonymous unlinkable nature of Tor onion service clients, these designs should be modular enough so that onion service operators can write their own anti-DoS modules to handle specific cases of attacks.

This is a parent ticket to handle the various subtasks.

Child Tickets

TicketStatusOwnerSummaryComponent
#15463newyawningTor deals poorly with a very large number of incoming connection requests.Core Tor/Tor
#16059newAdd a "rendezvous approver" control APICore Tor/Tor
#24299closedAllow onion services to distinguish clients from each otherCore Tor/Tor

Change History (5)

comment:1 Changed 8 months ago by asn

Sponsor: SponsorV

comment:2 Changed 6 months ago by dgoulet

Milestone: Tor: 0.3.3.x-finalTor: 0.3.4.x-final

Moving a bunch of tickets from 033 to 034.

comment:3 Changed 4 months ago by nickm

Keywords: 034-triage-20180328 added

comment:4 Changed 4 months ago by nickm

Keywords: 034-removed-20180328 added

Per our triage process, these tickets are pending removal from 0.3.4.

comment:5 Changed 3 months ago by nickm

Milestone: Tor: 0.3.4.x-finalTor: unspecified

These tickets, tagged with 034-removed-*, are no longer in-scope for 0.3.4. We can reconsider any of them, if time permits.

Note: See TracTickets for help on using tickets.