Opened 8 years ago

Last modified 13 months ago

#2665 new task

Create a dirauth DoS response procedure

Reported by: mikeperry Owned by:
Priority: High Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.7
Severity: Normal Keywords: SponsorU-deferred, tor-dirauth
Cc: Actual Points:
Parent ID: #2664 Points: medium
Reviewer: Sponsor:

Description (last modified by mikeperry)

We have the technical ability right now to rapidly rotate up to n-1 of the directory authorities to new IP addresses and new intermediate keys, simply by updating torrc files of dirauths. So long as at least one directory authority remains listening on its old IP address and is aware of the other directory authorities' new locations, it should still be possible to both produce a consensus and distribute it to new clients.

We should clearly document this procedure so we can execute it quickly if a majority of the Tor directory authorities fall victim to a DoS or compromise.

We should also consider altering client bundles to ship with a reduced consensus or descriptor set of ultra high-uptime directory mirrors, so that in the future we can rotate all n directory authorities without issue.

Child Tickets

Change History (36)

comment:1 Changed 8 years ago by mikeperry

Description: modified (diff)

comment:2 Changed 8 years ago by mikeperry

It appears Iran has just blocked the directory authorites, which may require us to distribute a list of super-stable dir mirrors to clients anyway. So I'm thinking we might even go for gold on this one.

If we design this right, we can protect the dirauths from DoS by allowing them to write iptables rules to block contact with anyone but eachother and the list of approved dir mirrors.

comment:3 Changed 8 years ago by arma

Component: Tor RelayTor Directory Authority

comment:4 Changed 8 years ago by nickm

Milestone: Tor: 0.2.3.x-final

comment:5 Changed 7 years ago by nickm

Milestone: Tor: 0.2.3.x-finalTor: 0.2.4.x-final
Priority: normalmajor

comment:6 Changed 6 years ago by mikeperry

Instead of relocation, a lighter-weight alternative that should be easier to deploy in an emergency is to create a clique firewall topology, so the dirauths can only talk to each other and a set of high-bandwidth, high-uptime dir mirrors.

This might be easier to deploy as an emergency response. However, without at least one of the dirauths being publicly reachable, we'd still have no way to bootstrap new clients without shipping them with some kind of cached consensus.

comment:7 Changed 6 years ago by mikeperry

Summary: Create a dirauth rotation procedureCreate a dirauth DoS response procedure

comment:8 Changed 6 years ago by ioerror

Add iptables limiting rules in general for all connections - I get by with 6 per minute from a given ip and it seems to be fine. I bet dozens would also be fine.

comment:9 Changed 6 years ago by ioerror

Here's an example limit rule:

iptables -A INPUT -p tcp --dport $DIRPORT -m limit --limit 100/minute --limit-burst 666 -j ACCEPT

comment:10 Changed 6 years ago by mikeperry

#572 sounds like it would make the clique firewall idea work to keep the existing network running if fixed. I also created #6790 for the relay descriptor submission side.

comment:11 Changed 6 years ago by ioerror

Mike - did you apply the limit rule?

comment:12 Changed 6 years ago by mikeperry

I think the limit rule is a decent (but not perfect) option that we can use until it's possible to create a more resilient network topology. Right now though, module loading is disabled on turtles and the limit module is not currently loaded, so I need to reboot for that. I'll see about doing it on Monday.

comment:13 Changed 6 years ago by nickm

Keywords: tor-auth added

comment:14 Changed 6 years ago by nickm

Component: Tor Directory AuthorityTor

comment:15 Changed 6 years ago by nickm

Milestone: Tor: 0.2.4.x-finalTor: 0.2.5.x-final

Important to do; worthwhile to do; orthogonal to the release of an 0.2.4-stable. Should this have another component than "Tor"? Should somebody take the lead on this?

comment:16 Changed 5 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.???

comment:17 Changed 4 years ago by nickm

Milestone: Tor: 0.2.???Tor: 0.2.7.x-final

These may be worth looking at for 0.2.7.

comment:18 Changed 4 years ago by nickm

Status: newassigned

comment:19 Changed 4 years ago by nickm

Keywords: 027-triaged-1-in added

Marking some tickets as triaged-in for 0.2.7 based on early triage

comment:20 Changed 4 years ago by isabela

Keywords: SponsorU added
Points: medium
Version: Tor: 0.2.7

comment:21 Changed 3 years ago by nickm

Keywords: TorCoreTeam201507 added

comment:22 Changed 3 years ago by nickm

Keywords: TorCoreTeam201507 removed

comment:23 Changed 3 years ago by nickm

Milestone: Tor: 0.2.7.x-finalTor: 0.2.8.x-final

comment:24 Changed 3 years ago by nickm

Keywords: SponsorU removed
Sponsor: SponsorU

Bulk-replace SponsorU keyword with SponsorU field.

comment:25 Changed 3 years ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final
Status: assignednew

Turn most 0.2.8 "assigned" tickets with no owner into "new" tickets for 0.2.9. Disagree? Find somebody who can do it (maybe you?) and get them to take it on for 0.2.8. :)

comment:26 Changed 3 years ago by isabela

Sponsor: SponsorUSponsorU-can

comment:27 Changed 3 years ago by isabela

Milestone: Tor: 0.2.9.x-finalTor: 0.2.???

tickets market to be removed from milestone 029

comment:28 Changed 3 years ago by nickm

Keywords: SponsorU-deferred added
Sponsor: SponsorU-can

Remove the SponsorU status from these items, which we already decided to defer from 0.2.9. add the SponsorU-deferred tag instead in case we ever want to remember which ones these were.

comment:29 Changed 2 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:30 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:31 Changed 19 months ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:32 Changed 19 months ago by nickm

Keywords: 027-triaged-in added

comment:33 Changed 19 months ago by nickm

Keywords: 027-triaged-in removed

comment:34 Changed 19 months ago by nickm

Keywords: 027-triaged-1-in removed

comment:35 Changed 19 months ago by dgoulet

Keywords: tor-dirauth added; tor-auth removed

Turns out that tor-auth is for directory authority so make it clearer with tor-dirauth

comment:36 Changed 13 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.