mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
r12154@catbus: nickm | 2007-03-11 23:20:58 -0400
Add "sybil-checking.txt" as "109-no-sharing-ips.txt" svn:r9805
This commit is contained in:
parent
f4913b4070
commit
a70be61dd5
@ -27,3 +27,4 @@ Proposals by number:
|
||||
106 Checking fewer things during TLS handshakes [CLOSED]
|
||||
107 Uptime Sanity Checking [CLOSED]
|
||||
108 Base "Stable" Flag on Mean Time Between Failures [OPEN]
|
||||
109 No more than one server per IP address [OPEN]
|
77
doc/spec/proposals/109-no-sharing-ips.txt
Normal file
77
doc/spec/proposals/109-no-sharing-ips.txt
Normal file
@ -0,0 +1,77 @@
|
||||
Filename: 109-no-sharing-ips.txt
|
||||
Title: No more than one server per IP address.
|
||||
Version:
|
||||
Last-Modified:
|
||||
Author: Kevin Bauer & Damon McCoy
|
||||
Created: 9-March-2007
|
||||
Status: Open
|
||||
|
||||
Overview:
|
||||
This document describes a solution to a Sybil attack vulnerability in the
|
||||
directory servers. Currently, it is possible for a single IP address to
|
||||
host an arbitrarily high number of Tor routers. We propose that the
|
||||
directory servers limit the number of Tor routers that may be registered at
|
||||
a particular IP address to some small (fixed) number, perhaps just one Tor
|
||||
router per IP address.
|
||||
|
||||
While Tor never uses more than one server from a given /16 in the same
|
||||
circuit, an attacker with multiple servers in the same place is still
|
||||
dangerous because he can get around the per-server bandwidth cap that is
|
||||
designed to prevent a single server from attracting too much of the overall
|
||||
traffic.
|
||||
|
||||
Motivation:
|
||||
Since it is possible for an attacker to register an arbitrarily large
|
||||
number of Tor routers, it is possible for malicious parties to do this to
|
||||
as part of a traffic analysis attack.
|
||||
|
||||
Security implications:
|
||||
This countermeasure will increase the number of IP addresses that an
|
||||
attacker must control in order to carry out traffic analysis.
|
||||
|
||||
Specification:
|
||||
We propose that the directory servers check if an incoming Tor router IP
|
||||
address is already registered under another router. If this is the case,
|
||||
then prevent this router from joining the network.
|
||||
|
||||
Compatibility:
|
||||
|
||||
Upon inspection of a directory server, we found that the following IP
|
||||
addresses have more than one Tor router:
|
||||
|
||||
Scruples 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 443
|
||||
WiseUp 68.5.113.81 ip68-5-113-81.oc.oc.cox.net 9001
|
||||
Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
|
||||
Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
|
||||
Unnamed 62.1.196.71 pc01-megabyte-net-arkadiou.megabyte.gr 9001
|
||||
aurel 85.180.62.138 e180062138.adsl.alicedsl.de 9001
|
||||
sokrates 85.180.62.138 e180062138.adsl.alicedsl.de 9001
|
||||
moria1 18.244.0.188 moria.mit.edu 9001
|
||||
peacetime 18.244.0.188 moria.mit.edu 9100
|
||||
|
||||
There may exist compatibility issues with this proposed fix. Reasons why
|
||||
more than one server would share an IP address include:
|
||||
|
||||
* Testing. moria1, moria2, peacetime, and other morias all run on one
|
||||
computer at MIT, because that way we get testing. Moria1 and moria2 are
|
||||
run by Roger, and peacetime is run by Nick.
|
||||
* NAT. If there are several servers but they port-forward through the same
|
||||
IP address, ... we can hope that the operators coordinate with each
|
||||
other. Also, we should recognize that while they help the network in
|
||||
terms of increased capacity, they don't help as much as they could in
|
||||
terms of location diversity. But our approach so far has been to take
|
||||
what we can get.
|
||||
* People who have more than 1.5MB/s and want to help out more. For
|
||||
example, for a while Tonga was offering 10MB/s and its Tor server
|
||||
would only make use of a bit of it. So Roger suggested that he run
|
||||
two Tor servers, to use more.
|
||||
|
||||
Alternatives:
|
||||
|
||||
Roger suggested that instead of capping number of servers per IP to 1, we
|
||||
should cap total declared bandwidth per IP to some N, and total declared
|
||||
servers to some M. (He suggested N=5MB/s and M=5.)
|
||||
|
||||
Roger also suggested that rather than not listing servers, we mark them as
|
||||
not Valid.
|
||||
|
Loading…
Reference in New Issue
Block a user