#24902: Denial of Service mitigation subsystem -------------------------------------------------+------------------------- Reporter: dgoulet | Owner: dgoulet Type: enhancement | Status: | needs_review Priority: Very High | Milestone: Tor: | 0.3.3.x-final Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: ddos, tor-relay, review-group-30, | Actual Points: 029-backport, 031-backport, 032-backport, | review-group-31 | Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by arma): And thus ends my review. Looking good! I've been trying to figure out if I would want to set the consensus params with these defaults -- "if 100 concurrent conns, ones after that are refused" and "90 circuits, refilled 3 per second" -- and I think yes I am comfortable with those. In the future, I plan to advocate for merging dos_cc_new_create_cell() and dos_cc_get_defense_type() into a single function, which notes the existence of the new create cell and also tells us whether to apply a defense. And I plan to advocate for a second cc defense, which returns DOS_CC_DEFENSE_REFUSE_CELL simply when stats->cc_stats.circuit_bucket == 0, without any marking or checking of stats->concurrent_count. I think I will want to instrument a real relay to see how often it would trigger that new defense, though, and I am happy to delay my future plans so we can get this patch out the door. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24902#comment:46> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs