Version 83 (modified by trac, 10 years ago) (diff)


Hacking Firefox for Maximum Performance with Tor


Tor is known for being secure but slow. If you want to improve browsing speed a bit, please follow the following simple instructions for tweaking the Firefox web browser's settings:

Procedure 1

First, open Firefox's advanced settings menu by running about:config from the address bar. Upon entering this address, you will see a long list of internal settings. Modify the following ones and set them to the suggested values shown here for maximum performance:

network.http.keep-alive.timeout:600 (300ms default is OK usually, but 600 is better.)
network.http.max-persistent-connections-per-proxy:16 (Default is 4)
network.http.pipelining:true (Default- false. Some old HTTP/1.0 servers can't handle it.)
network.http.pipelining.maxrequests:8 (No default)
network.http.proxy.keep-alive:true (Default- true, but double check)
network.http.proxy.pipelining:true (Default- false) }}}
Afterwards, just restart the browser and experience the difference! For some automated additional performance hacks, check out [ FireTune]. Currently, Fire{{{}}}Tune is only for Win32, but you can do the same tweaks manually with the help of [ this page].

== Procedure 2 - an update and addendum to Procedure 1 ==
These results were arrived at empirically, using the win32 bundle, Tor & Privoxy & Vidalia bundle:

 * [ Tor Button]
 * [http:// Configuration Mania for Firefox]
 * [ TCPOptimizer (win32)]
 * [ Event ID 4226 Patcher (win32)]

=== Tor Button - enable / disable Tor access in FireFox ===
This provides an optional button or text in the bottom right of the browser window in Firefox. This allows you to switch Tor on and off.

=== Configuration Mania - Modify performance related settings in FireFox ===
This plugin modifies the networking and cache settings for Firefox. When you load Configuration Mania, select the HTTP Network settings tab.

 * Tor does not work well at all with HTTP1.1 connections from firefox Ensure HTTP 1.1 for proxy connections is disabled for proxy connections.
 * Tor does not work well with pipelining. Ensure this option is not enabled for proxy connections.
 * Tor does not work well with Persistent HTTP connections. Ensure this option is disabled for proxy connections.
NOTE: Do not use page prefetching. Disable this if it is enabled. Prefetching is a speculative feature, which assumes that you will need the pages referenced by the links in the current page you are viewing. This places undue load on the Tor network.

=== TCPOptimizer -  2K/XP's throughput (win32) ===
Windows XP has a self-tuning IP stack, but it can still benefit from a little help. Using the TCP Optimiser tool from above you can tune the RWIN, SACK OPTS (rfc 2038), and tcp1323opts controlling window scaling. The tool has one button optimise. This setting is sufficient to benefit from immediate increases to Tor throughput. To increase throughput further you can try experimenting with lower values of the IP TTL (Time To Live). Values as low as 32 will work and result in improved performance. Also try experimenting with smaller TCPWindowSizes. This setting is automatically adjusted when you move the slider marked 'Connection Speed' of the TCPOptimizer  tool.

=== Event ID 4226 Pathcer - Remove the limit on TCP connection attempts XP SP2 (win32) ===
[ Remove the limit on TCP connection attempts] has an interesting article detailing this restriction introduced in XP SP2. Microsoft have restricted the amount of half-open TCP/IP connections with the proviso that it would reduce the pace that worms spread. As noted by SpeedGuide, internet worms spread isotropically (multi-directionally) and so their infecton rate is exponential. As such, placing a constant (limit) on the rate of connection creation for every computer running XP SP2 will slow the rate of worms spreading (for that group of computers) but not by much. Consider the population of humans on the planet. Its over ~6 billion.

Supposing all these people are running Windows XP SP2, with rate limited half-open connections. Rate limiting is set to 10 half-open connections per second. To infect the entire population of computers would take: We are assuming optimum forward infection here. In the first second we have infected 10 machines. The 2nd second to elapse will cause (10 x 10) + 10 = 110 computers to be infected. The 3rd second to elapse would cause:

 . ( (10 x 10) x 10 ) + (10 * 10) + 10 =  1110 computers to be infected. So the number of computers infected for every second that elapses is : computers infected = ~ 10 ^ elapsedSeconds
In 12 seconds, we would have 10 ^ 12 = 1 billion computers infected. Full infection occurs before 13 seconds have elapsed !

This is all skewed by network topologies and routing algorithms, but they would affect a non-limited network in an identical manner. So the affect is a theoretical maximum of 13 seconds of additional notice to act against the worm. To all intents and purposes, this is useless.

Of much more interest is the effect on ANY network that relies on many open connections, such as Tor and a host of P2P applications. The effect here is a slow down of communications, with the limit acting as the catalyst.

Use the Event ID 4226 Patcher to mitigate against this.

== Procedure 3 - A Tor SLA (Service Level Agreement) ==
If you follow the previous authors work you should have well performing access. To go that bit further lets consider the ideal behaviour of our Tor client.

You will need: [ The on-line reference to Tor properties, that can be placed in torrc.] Always back up this file before editing.

Lets think of a Service Level requirement we might like to place on our Tor client.

 * we want it to establish circuits as quickly as possible. If it takes too long ignore them, by timing out the building of circuits quickly.
 * now we have circuit build time-outs occuring more frequently as we don't wait too long for circuits to establish, we need to encourage Tor to try to generate circuits more often.
 * Once we have established a circuit, we are assuming its a good one and we dont want it being timed out by firewalls or anything else. We need to make sure a ping occurs on the circuit to prevent this.
Given this SLA, lets come up with some properties that may help satisfy it.

 * CircuitBuildTimeout NUM
  . Try for at most NUM seconds when building circuits. If the circuit isn't open in that time, give up on it. (Default: 1 minute.) Force circuits that are quick to establish and thus likely to push traffic more quickly. Values as low as 2 seconds have been tried with good results, although the author is not sure on the effect on anonymity.
 * KeepalivePeriod NUM
  . To keep firewalls from expiring connections, send a padding keepalive cell every NUM seconds on open connections that are in use. If the connection has no open circuits, it will instead be closed after NUM seconds of idleness. (Default: 5 minutes)
 * NewCircuitPeriod NUM
  . Every NUM seconds consider whether to build a new circuit. (Default: 30 seconds) Lets make Tor ready to establish a new circuit more readily.
The values to populate torrc with are as follows.

 * CircuitBuildTimeout 5 (or values as low as 2)
 * KeepalivePeriod 60
 * NewCircuitPeriod 15
== Bringing it all together - a typical configuration file for Windows ==
# This file was generated by Tor; if you edit it, comments will not be
# preserved The old torrc file was renamed to torrc.orig.1 or similar,
# and Tor will ignore it
# The advertised (external) address we should use.
# Limit the maximum token buffer size (also known as burst) to the
# given number of bytes.
BandwidthBurst 8192KB
# A token bucket limits the average incoming bandwidth on this node to
# the specified number of bytes per second.
BandwidthRate 4096KB
# MaxAdvertisedBandwidth N bytes|KB|MB|GB|TB If set, we will not
# advertise more than this amount of bandwidth for our BandwidthRate.
# Server operators who want to reduce the number of clients who ask
# to build circuits through them (since this is proportional to
# advertised bandwidth rate) can thus reduce the CPU demands on their
# server without impacting network performance.
MaxAdvertisedBandwidth 50KB
# Administrative contact information to advertise for this server.
ContactInfo NAME at ISP dot com
# Try for at most NUM seconds when building circuits. If the circuit
# isn't open in that time, give up on it. (Default: 1 minute.)
CircuitBuildTimeout 5
# If set, Tor will accept connections from the same machine (localhost
# only) on this port, and allow those connections to control the Tor
# process using the Tor Control Protocol (described in control-spec.txt).
ControlPort 9051
# Serve directory information from this port, and act as a directory
# cache.
DirPort 9030
# Send a padding cell every N seconds to keep firewalls from closing
# our connections while Tor is not in use.
KeepalivePeriod 60
# Where to send logging messages.  Format is:
# Log minSeverity[-maxSeverity] (stderr|stdout|syslog|file FILENAME).
Log notice stdout
# Force Tor to consider whether to build a new circuit every NUM
# seconds.
NewCircuitPeriod 15
# Set the server nickname.
# Advertise this port to listen for connections from Tor clients and
# servers.
ORPort 9001
# Let a socks connection wait NUM seconds unattached before we fail
# it. (Default: 2 minutes.)
SocksTimeout 30
# If we have keept a clean (never used) circuit around for NUM
# seconds, then close it. This way when the Tor client is entirely
# idle, it can expire all of its circuits, and then expire its TLS
# connections. Also, if we end up making a circuit that is not useful
# for exiting any of the requests we're receiving, it won't forever
# take up a slot in the circuit list. (Default: 1 hour.)
CircuitIdleTimeout 600
# If UseEntryGuards is set to 1, we will try to pick a total of NUM
# routers as long-term entries for our circuits. (Defaults to 3.)
#NumEntryGuards NUM
NumEntryGuards 8
== The proof is in the pudding ==
With the changes made from Procedure 2 and 3, and a 2Mb connection, you can realise a sustained throughput of >100k, peaking at ~256k, with a ping response time of between 250 and 900ms. Tor at version 0.1.2.x uses an Asynchronous DNS resolver, the DNS tips above are still indeterminate for Tor traffic.

These figures were arrived at by using [ |]

Attachments (1)

Download all attachments as: .zip