Opened 8 weeks ago

Last modified 4 weeks ago

#33156 assigned defect

DoS subsystem should compare IPv6 /64

Reported by: teor Owned by: neel
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: security-?, tor-relay, tor-dirauth, dos
Cc: dgoulet, nickm Actual Points:
Parent ID: Points: 2
Reviewer: Sponsor:

Description

s7r writes:

Our internal DoS defense subsystem should also treat prefixes instead of
addresses, because right now with a client with a /64 public IPv6 prefix
assigned to it I could hammer via IPv6 guards without triggering the DoS
defense.

https://lists.torproject.org/pipermail/tor-dev/2020-February/014144.html

We could make this change by:

  • only putting the first /64 of each IPv6 address in the filter list, and
  • only checking the first /64 of each new IPv6 connection

Child Tickets

Change History (4)

comment:1 Changed 6 weeks ago by neel

Owner: set to neel
Status: newassigned

comment:2 Changed 4 weeks ago by neel

Owner: neel deleted

comment:3 Changed 4 weeks ago by neel

Status: assignednew

comment:4 Changed 4 weeks ago by neel

Owner: set to neel
Status: newassigned
Note: See TracTickets for help on using tickets.