#27921: apparent DOS / impairment-of-service against FallbackDirs using DIR requests, please evaluate for possible mitigation --------------------------+------------------------------------ Reporter: starlight | Owner: (none) Type: enhancement | Status: new Priority: Medium | Milestone: Tor: unspecified Component: Core Tor/Tor | Version: Tor: 0.3.4.1-alpha Severity: Normal | Resolution: Keywords: tor-dos | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------+------------------------------------
Comment (by starlight): Replying to [comment:11 teor]: > > perhaps they are simply causing trouble the way the circuit extend idiots were (same idiots, likely as not). Requests all originate from direct attached clients, a pool of rotating IPs in South America an SE Asia--botnet if you ask me. > > Are they all in the same AS? Or a small set of ASes? > Are the ASes ISPs or VPS providers? Early this year the IPs were mostly in residential dynamic IP ranges in countries notorious for running ancient WinXP and/or pirated other Windows systems, also notorious for botnets due to the ease with which such systems are infected and kept in that state. No particular ASs, just general regions with a residential profile. Some IPs on the CBL, some not. Smells like botnet-for hire. A few dozen IPs per week in constant rotation. Certainly the same MO now, only difference is the upgrade from DIR to DIR- over-OR request path. I ran the info logging scriptlet from earlier and observed the request pattern was identical, inspiring me to disable the target code path. > > . . .the connections serving the requests generally have back-pressure and standing send-Q bytes Possibly this is the point. Maybe it biases KIST somehow and facilitates a subtle traffic analysis attack of some kind. > We already limit connections and circuits per IP address. Maybe we should limit directory requests as well. What I was thinking when opening this ticket ;-) -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27921#comment:12> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs