Opened 6 months ago

Last modified 4 months ago

#33156 assigned defect

DoS subsystem should compare IPv6 /64

Reported by: teor Owned by: neel
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: security-?, tor-relay, tor-dirauth, dos
Cc: dgoulet, nickm Actual Points:
Parent ID: Points: 2
Reviewer: Sponsor:

Description

s7r writes:

Our internal DoS defense subsystem should also treat prefixes instead of
addresses, because right now with a client with a /64 public IPv6 prefix
assigned to it I could hammer via IPv6 guards without triggering the DoS
defense.

https://lists.torproject.org/pipermail/tor-dev/2020-February/014144.html

We could make this change by:

  • only putting the first /64 of each IPv6 address in the filter list, and
  • only checking the first /64 of each new IPv6 connection

Child Tickets

Change History (6)

comment:1 Changed 6 months ago by neel

Owner: set to neel
Status: newassigned

comment:2 Changed 5 months ago by neel

Owner: neel deleted

comment:3 Changed 5 months ago by neel

Status: assignednew

comment:4 Changed 5 months ago by neel

Owner: set to neel
Status: newassigned

comment:5 Changed 4 months ago by neel

One question: may I please know which functions in the code corresponds to the filter list?

comment:6 in reply to:  5 Changed 4 months ago by teor

Replying to neel:

One question: may I please know which functions in the code corresponds to the filter list?

I'm not sure either.
What have you done to try to find these functions?

There are modules, files, and functions that have "dos" in the name.
Which ones do you think you need to modify?

Note: See TracTickets for help on using tickets.