mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-11 05:33:47 +01:00
49 lines
1.4 KiB
Plaintext
49 lines
1.4 KiB
Plaintext
|
Filename: 107-uptime-sanity-checking.txt
|
||
|
|
Title: Uptime Sanity Checking
|
||
|
|
Version:
|
||
|
|
Last-Modified:
|
||
|
|
Author: Kevin Buaer and Damon McCoy
|
||
|
|
Created: 8-March-2007
|
||
|
|
Status: Open
|
||
|
|
|
||
|
|
Overview:
|
||
|
|
|
||
|
|
This document describes how to cap the uptime that is used when computing
|
||
|
|
which routers are maked as stable such that highly stable routers cannot
|
||
|
|
be displaced by malicious routers that report extremely high uptime
|
||
|
|
values.
|
||
|
|
|
||
|
|
This is similar to how bandwidth is capped at 1.5MB/s.
|
||
|
|
|
||
|
|
Motivation:
|
||
|
|
|
||
|
|
It has been pointed out that an attacker can displace all stable nodes and
|
||
|
|
entry guard nodes by reporting high uptimes. This is an easy fix that will
|
||
|
|
prevent highly stable nodes from being displaced.
|
||
|
|
|
||
|
|
Security implications:
|
||
|
|
|
||
|
|
It should decrease the effectiveness of routing attacks that report high
|
||
|
|
uptimes while not impacting the normal routing algorithms.
|
||
|
|
|
||
|
|
Specification:
|
||
|
|
|
||
|
|
We propose that uptime be capped at two months. Currently there are
|
||
|
|
approximetly 50 nodes with this amount of uptime, and the average uptime
|
||
|
|
is around 9 days. This cap would prevent these 50 nodes from being
|
||
|
|
displaced by an attacker.
|
||
|
|
|
||
|
|
Compatibility:
|
||
|
|
|
||
|
|
There should be no compatiblity issues due to uptime capping.
|
||
|
|
|
||
|
|
Implementation:
|
||
|
|
|
||
|
|
#define MAX_BELIEVABLE_UPTIME 60*24*60*60
|
||
|
|
dirserv.c
|
||
|
|
1448: *up = (uint32_t) real_uptime(ri, now);
|
||
|
|
if(*up > MAX_BELIEVABLE_UPTIME) {
|
||
|
|
*up = MAX_BELIEVABLE_UPTIME;
|
||
|
|
}
|
||
|
|
|