nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-09-19 20:46:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

add changes/ and man entries for stream dos mitigation

Browse Source
This commit is contained in:
trinity-1686a 2023-09-10 16:47:17 +02:00 committed by David Goulet
parent f8b259c2fe
commit 3970ee6a07
2 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
changes/ticket40736 Normal file
View File

@ -0,0 +1,5 @@
o Minor feature (exit relay, DoS(resitance):
- Implement a token-bucket based rate limiter for stream creation and
resolve request. It is configured by the DoSStream* family of
configuration options.
Closes ticket 40736.

38
doc/man/tor.1.txt
View File

@ -3037,6 +3037,44 @@ Denial of Service mitigation subsystem described above.
consensus parameter. If not defined in the consensus, the value is 0.
(Default: auto)
The following options are useful only for a exit relay.
[[DoSStreamCreationEnabled]] **DoSStreamCreationEnabled** **0**|**1**|**auto**::
Enable the stream DoS mitigation. If set to 1 (enabled), tor will apply
rate limit on the creation of new streams and dns requests per circuit.
"auto" means use the consensus parameter. If not defined in the consensus,
the value is 0. (Default: auto)
[[DoSStreamCreationDefenseType]] **DoSStreamCreationDefenseType** __NUM__::
This is the type of defense applied to a detected circuit or stream for the
stream mitigation. The possible values are:
+
1: No defense.
+
2: Reject the stream or resolve request.
+
3: Close the circuit creating to many streams.
+
"0" means use the consensus parameter. If not defined in the consensus, the value is 2.
(Default: 0)
[[DoSStreamCreationtRate]] **DoSStreamCreationRate** __NUM__::
The allowed rate of stream cretion from a single circuit per second. Coupled
with the burst (see below), if the limit is reached, actions can be taken
against the stream or circuit (DoSStreamCreationDefenseType). If not defined or
set to 0, it is controlled by a consensus parameter. If not defined in the
consensus, the value is 100. (Default: 0)
[[DoSStreamCreationBurst]] **DoSStreamCreationBurst** __NUM__::
The allowed burst of stream creation from a circuit per second.
See the DoSStreamCreationRate for more details on this detection. If
not defined or set to 0, it is controlled by a consensus parameter. If not
defined in the consensus, the value is 300. (Default: 0)
For onion services, mitigations are a work in progress and multiple options
are currently available.