Create a dirauth DoS response procedure

We have the technical ability right now to rapidly rotate up to n-1 of the directory authorities to new IP addresses and new intermediate keys, simply by updating torrc files of dirauths. So long as at least one directory authority remains listening on its old IP address and is aware of the other directory authorities' new locations, it should still be possible to both produce a consensus and distribute it to new clients.

We should clearly document this procedure so we can execute it quickly if a majority of the Tor directory authorities fall victim to a DoS or compromise.

We should also consider altering client bundles to ship with a reduced consensus or descriptor set of ultra high-uptime directory mirrors, so that in the future we can rotate all n directory authorities without issue.

changed milestone to %Tor: unspecified

added SponsorU-deferred component::core tor/tor milestone::Tor: unspecified parent::2664 points::medium priority::high severity::normal status::new tor-dirauth type::task version::tor 0.2.7 labels

Trac:
Description: We have the technical ability right now to rotate up to n-1 of the directory authorities to new IP addresses, with new intermediate keys by updating torrc files of the other dirauths. So long as at least one directory authority remains listening on its old IP address and is aware of the other directory authorities' new locations, it should still be possible to both produce a consensus and distribute it to new clients.

We should clearly document this procedure so we can execute it quickly if the Tor directory authorities fall victim to a DoS or widespread compromise.

We should also consider altering client bundles to ship with a reduced consensus or descriptor set of ultra high-uptime directory mirrors, so that in the future we can rotate all n directory authorities without issue.

to

We have the technical ability right now to rapidly rotate up to n-1 of the directory authorities to new IP addresses and new intermediate keys, simply by updating torrc files of dirauths. So long as at least one directory authority remains listening on its old IP address and is aware of the other directory authorities' new locations, it should still be possible to both produce a consensus and distribute it to new clients.

We should clearly document this procedure so we can execute it quickly if a majority of the Tor directory authorities fall victim to a DoS or compromise.

We should also consider altering client bundles to ship with a reduced consensus or descriptor set of ultra high-uptime directory mirrors, so that in the future we can rotate all n directory authorities without issue.

It appears Iran has just blocked the directory authorites, which may require us to distribute a list of super-stable dir mirrors to clients anyway. So I'm thinking we might even go for gold on this one.

If we design this right, we can protect the dirauths from DoS by allowing them to write iptables rules to block contact with anyone but eachother and the list of approved dir mirrors.

Trac:
Component: Tor Relay to Tor Directory Authority

Trac:
Milestone: N/A to Tor: 0.2.3.x-final

Trac:
Milestone: Tor: 0.2.3.x-final to Tor: 0.2.4.x-final
Priority: normal to major

Instead of relocation, a lighter-weight alternative that should be easier to deploy in an emergency is to create a clique firewall topology, so the dirauths can only talk to each other and a set of high-bandwidth, high-uptime dir mirrors.

This might be easier to deploy as an emergency response. However, without at least one of the dirauths being publicly reachable, we'd still have no way to bootstrap new clients without shipping them with some kind of cached consensus.

Trac:
Summary: Create a dirauth rotation procedure to Create a dirauth DoS response procedure

Add iptables limiting rules in general for all connections - I get by with 6 per minute from a given ip and it seems to be fine. I bet dozens would also be fine.

Here's an example limit rule:

iptables -A INPUT -p tcp --dport $DIRPORT -m limit --limit 100/minute --limit-burst 666 -j ACCEPT

#572 (moved) sounds like it would make the clique firewall idea work to keep the existing network running if fixed. I also created #6790 (moved) for the relay descriptor submission side.

Mike - did you apply the limit rule?

I think the limit rule is a decent (but not perfect) option that we can use until it's possible to create a more resilient network topology. Right now though, module loading is disabled on turtles and the limit module is not currently loaded, so I need to reboot for that. I'll see about doing it on Monday.

Trac:
Keywords: N/A deleted, tor-auth added

Trac:
Component: Tor Directory Authority to Tor

Important to do; worthwhile to do; orthogonal to the release of an 0.2.4-stable. Should this have another component than "Tor"? Should somebody take the lead on this?

Trac:
Milestone: Tor: 0.2.4.x-final to Tor: 0.2.5.x-final

Trac:
Milestone: Tor: 0.2.5.x-final to Tor: 0.2.???

These may be worth looking at for 0.2.7.

Trac:
Milestone: Tor: 0.2.??? to Tor: 0.2.7.x-final

Trac:
Status: new to assigned

Marking some tickets as triaged-in for 0.2.7 based on early triage

Trac:
Keywords: N/A deleted, 027-triaged-1-in added

Trac:
Keywords: N/A deleted, SponsorU added
Version: N/A to Tor: 0.2.7
Points: N/A to medium

Trac:
Keywords: N/A deleted, TorCoreTeam201507 added

Trac:
Keywords: TorCoreTeam201507 deleted, N/A added

Trac:
Milestone: Tor: 0.2.7.x-final to Tor: 0.2.8.x-final

Bulk-replace SponsorU keyword with SponsorU field.

Trac:
Keywords: SponsorU deleted, N/A added
Sponsor: N/A to SponsorU

Turn most 0.2.8 "assigned" tickets with no owner into "new" tickets for 0.2.9. Disagree? Find somebody who can do it (maybe you?) and get them to take it on for 0.2.8. :)

Trac:
Status: assigned to new
Milestone: Tor: 0.2.8.x-final to Tor: 0.2.9.x-final

Trac:
Sponsor: SponsorU to SponsorU-can

tickets market to be removed from milestone 029

Trac:
Milestone: Tor: 0.2.9.x-final to Tor: 0.2.???

Remove the SponsorU status from these items, which we already decided to defer from 0.2.9. add the SponsorU-deferred tag instead in case we ever want to remember which ones these were.

Trac:
Sponsor: SponsorU-can to N/A
Keywords: N/A deleted, SponsorU-deferred added

Milestone renamed

Trac:
Milestone: Tor: 0.2.??? to Tor: 0.3.???

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

Trac:
Keywords: N/A deleted, tor-03-unspecified-201612 added
Milestone: Tor: 0.3.??? to Tor: unspecified

Remove an old triaging keyword.

Trac:
Keywords: tor-03-unspecified-201612 deleted, N/A added

Trac:
Keywords: N/A deleted, 027-triaged-in added

Trac:
Keywords: 027-triaged-in deleted, N/A added

Trac:
Keywords: 027-triaged-1-in deleted, N/A added

Turns out that tor-auth is for directory authority so make it clearer with tor-dirauth

Trac:
Keywords: tor-auth deleted, tor-dirauth added

Set all open tickets without a severity to "Normal"

Trac:
Severity: N/A to Normal

mentioned in issue #2701 (moved)

mentioned in issue #6790 (moved)

moved to tpo/core/tor#2665 (closed)

mentioned in issue tpo/core/tor#6790 (closed)