I haven't read it yet, but there's a short paper at FOCI this year
analyzing a case study of a DDoS attack on relays operated by the
authors.
"A case study on DDoS attacks against Tor relays"
Tobias Höller, René Mairhofer
https://www.petsymposium.org/foci/2024/foci-2024-0014.php
On Mon, Jul 08,
On Mon, Dec 11, 2023 at 08:13:17PM +0100, Felix wrote:
> Thank you for the paper and the presentation.
>
> Chapter 3 (Multiple Tor processes) shows the structure:
>
> > mypt - HAproxy = multiple tor services
>
> At the end of chapter 3.1 it is written
> > the loss of country- and
On Mon, Sep 04, 2023 at 02:09:50AM -0600, David Fifield wrote:
> Linus Nordberg and I wrote a short paper that was presented at FOCI
> 2023. The topic is how to use all the available CPU capacity of a server
> running a Tor relay.
>
> This is how the Snowflake bridges are set up
On Tue, Sep 26, 2023 at 02:22:06PM +, Split via tor-relays wrote:
> I run the obfs4 bridge, in the parameters I specify to use iat-modr=2. As a
> result, the bridge is VERY, VERY SLOW. Connection speed is on average 100 kb/
> sec. When I remove the iat-mode=2 parameter, the speed becomes 8-10
On Thu, Sep 07, 2023 at 02:12:36PM +0200, telekobold wrote:
> I just want to share some quick bugfix with you (sorry if this is obvious to
> you or has been written somewhere else).
>
> Suddenly, I got the following error messages on my two bridges running on
> Debian 11 appearing in the logs (in
Linus Nordberg and I wrote a short paper that was presented at FOCI
2023. The topic is how to use all the available CPU capacity of a server
running a Tor relay.
This is how the Snowflake bridges are set up. It might also be useful
for anyone running a relay that is bottleneck on the CPU. If you
On Thu, Jun 29, 2023 at 03:38:13PM +0100, Shelikhoo wrote:
> How to test and report issues
> -
>
> You can test the WebTunnel bridge by using the most recent version of Tor
> Browser Alpha (https://www.torproject.org/download/alpha/). Currently,
> WebTunnel is only
On Thu, Jun 01, 2023 at 01:21:30PM -0400, Roger Dingledine wrote:
> Thanks Nick! I endorse Nick's response, with two additions:
>
> On Thu, Jun 01, 2023 at 09:07:17AM -0400, Nick Mathewson wrote:
> > Onion key rotation limits the time range in which this kind of attack
> > is useful: it will only
On Thu, Jun 01, 2023 at 09:07:17AM -0400, Nick Mathewson wrote:
> On Wed, May 24, 2023 at 8:54 PM David Fifield wrote:
> [...]
> >
> > What are the risks of not rotating onion keys? My understanding is that
> > rotation is meant to enhance forward security; i.e., limit
Linus Nordberg and I have had a paper accepted to FOCI 2023 on the
special pluggable transports configuration used on the Snowflake
bridges. That design was first hashed out on this mailing list last
year.
On Mon, Dec 12, 2022 at 10:18:53PM +0100, Anders Trier Olesen wrote:
> > It is surprising, isn't it? It certainly feels like calling connect
> > without first binding to an address should have the same effect as
> > manually binding to an address and then calling connect, especially if
> > the
Linus Nordberg and I have been working together to run the main
Snowflake bridge since April 2022. We are preparing a short paper
(4 pages) for the FOCI workshop (https://foci.community/) on the special
procedures required to operate a bridge that gets the large volume of
traffic that a Snowflake
On Fri, Dec 16, 2022 at 04:27:06AM +, Gary C. New via tor-relays wrote:
> On Tuesday, December 13, 2022, 07:35:23 PM MST, David Fifield
> wrote:
>
> On Tue, Dec 13, 2022 at 07:29:45PM +, Gary C. New via tor-relays wrote:
> >> On Tuesday, December 13, 2022, 10:11:41
On Tue, Dec 13, 2022 at 07:29:45PM +, Gary C. New via tor-relays wrote:
> On Tuesday, December 13, 2022, 10:11:41 AM PST, David Fifield
> wrote:
>
> > The Snowflake proxy is not a pluggable transport. You just > run it as a
> > normal command-line program. Th
On Mon, Dec 12, 2022 at 08:19:53PM +, Gary C. New via tor-relays wrote:
> I am having some issues or misunderstandings with implementing Snowflake Proxy
> within Tor. I assumed that implementing Snowflake Proxy within Tor would be
> similar to OBFS4Bridge in that Tor would initialize Snowflake
On Sun, Dec 11, 2022 at 04:25:06AM +, Gary C. New via tor-relays wrote:
> I was successfully able to get Snowflake cross-compiled and installed for
> OpenWRT and Entware as a package.
Thanks, nice work.
> # opkg files snowflake
> Package snowflake (2.4.1-1) is installed on root and has the
On Mon, Dec 12, 2022 at 12:39:50AM +0100, Anders Trier Olesen wrote:
> I wrote some tests[1] which showed behaviour I did not expect.
> IP_BIND_ADDRESS_NO_PORT seems to work as it should, but calling bind without
> it
> enabled turns out to be even worse than I thought.
> This is what I think is
On Sat, Dec 10, 2022 at 09:59:14AM +0100, Anders Trier Olesen wrote:
> IP_BIND_ADDRESS_NO_PORT did not fix your somewhat similar problem in your
> Haproxy setup, because all the connections are to the same dst tuple port>
> (i.e 127.0.0.1:ExtORPort).
> The connect() system call is looking for a
On Sat, Dec 10, 2022 at 05:19:43AM +, Gary C. New via tor-relays wrote:
> I'm in the process of trying to cross-compile snowflake for OpenWRT and
> Entware. Are there any other dependencies to compile snowflake other than Go?
The README should list dependencies. Setting GOOS and GOARCH should
On Fri, Dec 09, 2022 at 08:43:26AM +, Gary C. New wrote:
> In my implementation of the loadbalanced OBFS4 configuration, it appears that
> BridgeDB still tests the ORPort for availability and without it marks the
> OBFS4 bridge as being down.
I see. Then yes, I suppose it is still necessary
On Fri, Dec 09, 2022 at 10:16:47AM +0100, Toralf Förster wrote:
> On 12/9/22 07:02, David Fifield wrote:
> > But now there is rdsys and bridgestrap, which may have the ability to
> > test the obfs4 port rather than the ORPort. I cannot say whether that
> > removes the
On Fri, Dec 09, 2022 at 09:47:07AM +, Alexander Færøy wrote:
> On 2022/12/01 20:35, Christopher Sheats wrote:
> > Does anyone have experience troubleshooting and/or fixing this problem?
>
> Like I wrote in [1], I think it would be interesting to hear if the
> patch from pseudonymisaTor in
On Fri, Dec 09, 2022 at 01:09:05AM +, Gary C. New wrote:
> Is it truly necessary to expose the ORPort to the World in a pluggable
> transport configuration?
I don't know if it is necessary for ordinary bridges to expose the
ORPort. For a long time, it was necessary, because BridgeDB used the
On Fri, Oct 14, 2022 at 06:08:38PM +0200, Toralf Förster wrote:
> On 10/14/22 11:28, meskio wrote:
> > The latest version of obfs4proxy (0.0.14) comes with an important security
> > fix.
>
> Is there a Changelog available ?
The below issue, which is currently confidential, has details of what
On Fri, Mar 04, 2022 at 09:40:01PM +, Gary C. New wrote:
> I see that the metrics change has been reverted.
>
> If/When the metrics change is implemented, will loadbalanced Tor Relay Nodes
> need to be uniquely named or will they all be able to use the same nickname?
When I made my own
On Thu, Mar 03, 2022 at 08:13:34PM +, Gary C. New wrote:
> Has Tor Metrics implemented your RFC related to Written Bytes per Second and
> Read Bytes per Second on Onionoo?
>
> As of the 27th of February, I've noticed a change in reporting that accurately
> reflects the aggregate of my Tor
The load-balanced Snowflake bridge is running in production since
2022-01-31. Thanks Roger, Gary, Roman for your input.
Hopefully reproducible installation instructions:
On Sat, Jan 29, 2022 at 02:54:40AM +, Gary C. New via tor-relays wrote:
> > > From your documentation, it sounds like you're running everything on the
> > > same machine? When expanding to additional machines, similar to the file
> > > limit issue, you'll have to expand the usable ports as
> On the matter of onion key rotation, I had the idea of making the onion key
> files read-only. Roger did some source code investigation and said that it
> might work to prevent onion key rotation, with some minor side effects. I
> plan to give the idea a try on a different bridge. The
> With regard to loadbalanced Snowflake sessions, I'm curious to know what
> connections (i.e., inbound, outbound, directory, control, etc) are being
> displayed within nyx?
I'm not using nyx. I'm just looking at the bandwidth on the network
interface.
> Your Heartbeat logs continue to appear
On Tue, Jan 25, 2022 at 11:21:10PM +, Gary C. New via tor-relays wrote:
> It's nice to see that the Snowflake daemon offers a native configuration
> option for LimitNOFile. I ran into a similar issue with my initial
> loadbalanced Tor Relay Nodes that was solved at the O/S level using
The DNS record for the Snowflake bridge was switched to a temporary staging
server, running the load balancing setup, at 2022-01-25 17:41:00. We were
debugging some initial problems until 2022-01-25 18:47:00. You can read about
it here:
On Tue, Jan 04, 2022 at 11:57:36PM -0500, Roger Dingledine wrote:
> Hm. It looks promising! But we might still have a Tor-side problem remaining.
> I think it boils down to how long the KCP sessions last.
>
> The details on how exactly these bridge instances will diverge over time:
>
> The keys
On Thu, Dec 30, 2021 at 10:42:51PM -0700, David Fifield wrote:
> One complication we'll have to work out is that ptadapter doesn't have a
> setting for ExtORPort forwarding. ptadapter absorbs any ExtORPort
> information and forwards an unadorned connection onward. The idea I had
>
On Mon, Dec 27, 2021 at 04:00:34PM -0500, Roger Dingledine wrote:
> On Mon, Dec 27, 2021 at 12:05:26PM -0700, David Fifield wrote:
> > I have the impression that tor cannot use more than one CPU core???is that
> > correct? If so, what can be done to permit a bridge to scale beyond
The main Snowflake bridge
(https://metrics.torproject.org/rs.html#details/5481936581E23D2D178105D44DB6915AB06BFB7F)
is starting to become overloaded, because of a recent substantial
increase in users. I think the host has sufficient CPU and memory
headroom, and pluggable transport process (that
On Mon, Aug 20, 2018 at 02:25:40PM -0400, Nathaniel Suchy wrote:
> Interesting. Is there any reason to not use an obfuscated bridge?
No, not really. obfs4 resists active probing without any special
additional steps. But I can think of one reason why the MSS trick is
worth trying, anyway. Due to a
On Sun, Aug 19, 2018 at 07:41:26PM -0400, Nathaniel Suchy wrote:
> Is China successfully probing OBFS4 bridges? Or does this apply more to non
> obfs bridges?
China doesn't dynamically probe obfs4 bridges. (More precisely: they may
try to probe, but the probes don't result in blocks for obfs4.)
A paper from FOCI 2018 by Arun Dunna, Ciarán O'Brien, and Phillipa Gill
on the subject of Tor bridge blocking in China has this interesting
suggestion (Section 5.2):
https://www.usenix.org/conference/foci18/presentation/dunna
To do this, we write a series specific rules using iptables in
39 matches
Mail list logo