From a70be61dd51506755184374cd6b3c78c45296d8f Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 12 Mar 2007 13:04:20 +0000 Subject: [PATCH] r12154@catbus: nickm | 2007-03-11 23:20:58 -0400 Add "sybil-checking.txt" as "109-no-sharing-ips.txt" svn:r9805 --- doc/spec/proposals/000-index.txt | 1 + doc/spec/proposals/109-no-sharing-ips.txt | 77 +++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 doc/spec/proposals/109-no-sharing-ips.txt diff --git a/doc/spec/proposals/000-index.txt b/doc/spec/proposals/000-index.txt index c08bacac30..93d5d0ab1a 100644 --- a/doc/spec/proposals/000-index.txt +++ b/doc/spec/proposals/000-index.txt @@ -27,3 +27,4 @@ Proposals by number: 106 Checking fewer things during TLS handshakes [CLOSED] 107 Uptime Sanity Checking [CLOSED] 108 Base "Stable" Flag on Mean Time Between Failures [OPEN] +109 No more than one server per IP address [OPEN] \ No newline at end of file diff --git a/doc/spec/proposals/109-no-sharing-ips.txt b/doc/spec/proposals/109-no-sharing-ips.txt new file mode 100644 index 0000000000..d1177bf58c --- /dev/null +++ b/doc/spec/proposals/109-no-sharing-ips.txt @@ -0,0 +1,77 @@ +Filename: 109-no-sharing-ips.txt +Title: No more than one server per IP address. +Version: +Last-Modified: +Author: Kevin Bauer & Damon McCoy +Created: 9-March-2007 +Status: Open + +Overview: + This document describes a solution to a Sybil attack vulnerability in the + directory servers. Currently, it is possible for a single IP address to + host an arbitrarily high number of Tor routers. We propose that the + directory servers limit the number of Tor routers that may be registered at + a particular IP address to some small (fixed) number, perhaps just one Tor + router per IP address. + + While Tor never uses more than one server from a given /16 in the same + circuit, an attacker with multiple servers in the same place is still + dangerous because he can get around the per-server bandwidth cap that is + designed to prevent a single server from attracting too much of the overall + traffic. + +Motivation: + Since it is possible for an attacker to register an arbitrarily large + number of Tor routers, it is possible for malicious parties to do this to + as part of a traffic analysis attack. + +Security implications: + This countermeasure will increase the number of IP addresses that an + attacker must control in order to carry out traffic analysis. + +Specification: + We propose that the directory servers check if an incoming Tor router IP + address is already registered under another router. If this is the case, + then prevent this router from joining the network. + +Compatibility: + + Upon inspection of a directory server, we found that the following IP + addresses have more than one Tor router: + + Scruples 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 443 + WiseUp 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 9001 + Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001 + Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001 + Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001 + aurel 85.180.62.138 e180062138.adsl.alicedsl.de 9001 + sokrates 85.180.62.138 e180062138.adsl.alicedsl.de 9001 + moria1 18.244.0.188 moria.mit.edu 9001 + peacetime 18.244.0.188 moria.mit.edu 9100 + + There may exist compatibility issues with this proposed fix. Reasons why + more than one server would share an IP address include: + + * Testing. moria1, moria2, peacetime, and other morias all run on one + computer at MIT, because that way we get testing. Moria1 and moria2 are + run by Roger, and peacetime is run by Nick. + * NAT. If there are several servers but they port-forward through the same + IP address, ... we can hope that the operators coordinate with each + other. Also, we should recognize that while they help the network in + terms of increased capacity, they don't help as much as they could in + terms of location diversity. But our approach so far has been to take + what we can get. + * People who have more than 1.5MB/s and want to help out more. For + example, for a while Tonga was offering 10MB/s and its Tor server + would only make use of a bit of it. So Roger suggested that he run + two Tor servers, to use more. + +Alternatives: + + Roger suggested that instead of capping number of servers per IP to 1, we + should cap total declared bandwidth per IP to some N, and total declared + servers to some M. (He suggested N=5MB/s and M=5.) + + Roger also suggested that rather than not listing servers, we mark them as + not Valid. +