Opened 7 years ago

Closed 4 years ago

#6800 closed defect (wontfix)

An attacker can flood network with new relays to make us stop using bwauth weights

Reported by: arma Owned by:
Priority: High Milestone: Tor: 0.2.8.x-final
Component: Core Tor/Tor Version: Tor: 0.2.7
Severity: Normal Keywords: tor-relay, 027-triaged-1-in, pre028-patch
Cc: Actual Points:
Parent ID: Points: medium/large
Reviewer: Sponsor: SponsorU

Description

The bwauths don't write out any opinions if they have stats on less than some fraction (60%) of the relays.

So an attacker could induce this result by signing up n new relays to go with the n current relays, causing all the bwauths to stop outputting opinions.

In the current case that means we default to using the values in the relay descriptors. Inefficient but not so bad.

In the future case (once we merge #2286), it means we default to capping all new relays to a low number until the bwauths catch up again.

Authorities are willing to use the last published opinions file for 3 days before they give up on it.

Is this a stable enough defense? During the flood the already-established relays would continue to have the most recent bwauth weights, and the bwauths have 3 days to catch up. Sounds plausible, but I'd like a few more opinions.

Child Tickets

Change History (14)

comment:1 Changed 7 years ago by arma

Status: newneeds_review

Putting in needs_review, where the suggested patch is the empty set.

comment:2 Changed 7 years ago by nickm

Keywords: tor-relay added

comment:3 Changed 7 years ago by nickm

Component: Tor RelayTor

comment:4 Changed 6 years ago by nickm

Milestone: Tor: 0.2.4.x-finalTor: 0.2.5.x-final

comment:5 Changed 6 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.???

comment:6 Changed 5 years ago by nickm

Milestone: Tor: 0.2.???Tor: 0.2.7.x-final

These might also be worth looking at in 0.2.7

comment:7 Changed 4 years ago by nickm

Keywords: 027-triaged-1-in added

Marking some tickets as triaged-in for 0.2.7 based on early triage

comment:8 Changed 4 years ago by isabela

Keywords: SponsorU added
Points: medium/large
Priority: normalmajor
Version: Tor: 0.2.7

comment:9 Changed 4 years ago by nickm

Milestone: Tor: 0.2.7.x-finalTor: 0.2.8.x-final

comment:10 Changed 4 years ago by nickm

Keywords: SponsorU removed
Sponsor: SponsorU

Bulk-replace SponsorU keyword with SponsorU field.

comment:11 Changed 4 years ago by Sebastian

It seems to me like the real fix is on the bwauth side, where instead of saying "bail, we have less than 60% of relays measured" we should say "don't bail, we have less than 60% of relays measured but more than X% of relays measured that we can reasonably be expected to have measured by now"

comment:12 Changed 4 years ago by nickm

Keywords: pre028-patch added

comment:13 Changed 4 years ago by teor

Severity: Normal

I think this is ok to be closed with "wontfix" (no patch).

This is really a bwauth issue, and could be fixed there by Sebastian's change, or by allowing us to use less than 60% measured for a few days while we catch up.

(Another alternative is to just re-use the old bwauth output.)

comment:14 Changed 4 years ago by dgoulet

Resolution: wontfix
Status: needs_reviewclosed

Ack to close here. This should be pushed on the bwauth side.

I'll act on the ticket status and we'll reopen if we think we need another direction. Although, at some point we might want to have a "bwauth" component if it does still stay outside of little-t tor.

Note: See TracTickets for help on using tickets.